We propose IoTSTEED, a system running in edge routers to defend against Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices. IoTSTEED watches traffic that leaves and enters the home network, detecting IoT devices at home, learning the benign servers they talk to, and filtering their traffic to other servers as a potential DDoS attack.
iotsteed -i/I PATH/IP -m PATH -k KEY -o FILE_PREF -r MACs
[-e MACs] [-w IPs] [-p PREFIX ] [-s THRE] [-b THRE]
- Input pcap file that iotsteed will read packet from and operate on (offline mode)
- Interface IP that iotsteed will read packet from and operate on (online mode)
Note that only one of -i and -I should be used at one time.
- The csv file storing mapping between known IoT manufacuter (mftr) and IoT manufacuter collaborator (mrlv).
(special mrlv: - means a mftr has no mrlv; null means a mftr has special non-existent mrlv)
- API key for OUI lookup at macaddress.io
- Prefix for output files for (1) device detected (2) server learnt (3) ddos packets dropped
- A list of comma-seperated MACs for LAN routers. We do not apply detection and learning to LAN routers.
- A list of comma-seperated MACs for devices whose packets we ignore.
- A list of comma-seperated whitelisted server IP and prefixes:
IP like 22.214.171.124, /24 prefix like 1.2.3, /16 prefix 1.2 and /8 prefix like 1.
Default is ‘126.96.36.199,188.8.131.52’
- /24 prefix for the deployed access network (in format 1.2.3). Default is 192.168.1.
- Max number of distinct servers an IoT device should talk to. Default is 70
- Duration of server bootstrapping (unit: hours). Default is 2,120.
(2 hours for name-accessed servers and 120 hours for IP_accessed servers).
Compile for linux computer
Compile IoTSTEED with dynamically-linked library (see dependency for libraries)
Compile IoTSTEED with statically-linked PcapPlusPlus and Faup library
Clean up compliation artifacts
Cross-compile for OpenWRT router
Cross-compilaion is router-dependent. Please follow instructions on https://openwrt.org/docs/guide-developer/crosscompile
- PcapPlusPlus: C++ wrapper for Libpcap (https://pcapplusplus.github.io/)
- Faup: Fast URL decoder library (https://github.com/stricaud/faup)
- Hang Guo, John Heidemann. IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended). USC/ISI Technical Report ISI-TR-738. June 2020