Detecting IoT Devices in the Internet

Guo, Hang and Heidemann, John

citation

Hang Guo and John Heidemann 2020. Detecting IoT Devices in the Internet. ACM/IEEE Transactions on Networking. 28, 5 (Oct. 2020). [DOI] [PDF]

abstract

Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. With our IP-based algorithm, we report detections from a university campus over 4 months and from traffic transiting an IXP over 10 days. We apply our DNS-based algorithm to traffic from 8 root DNS servers from 2013 to 2018 to study AS-level IoT deployment. We find substantial growth (about 3.5\times) in AS penetration for 23 types of IoT devices and modest increase in device type density for ASes detected with these device types (at most 2 device types in 80% of these ASes in 2018). DNS also shows substantial growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.

reference

@article{Guo20c,
  author = {Guo, Hang and Heidemann, John},
  title = {Detecting {IoT} Devices in the {Internet}},
  journal = {ACM/IEEE Transactions on Networking},
  institution = {USC/Information Sciences Institute},
  year = {2020},
  sortdate = {2020-07-29},
  project = {ant, lacanic},
  jsubject = {topology_modeling},
  volume = {28},
  number = {5},
  doi = {https://dx.doi.org/10.1109/TNET.2020.3009425},
  month = oct,
  jlocation = {johnh: pafile},
  keywords = {iot, detection, traffic analysis},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Guo20c.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Guo20c.pdf},
  blogurl = {https://ant.isi.edu/blog/?p=1503}
}