IoTSTEED: bot-side defense to IoT-based DDoS attacks from edge router

IoTSTEED

We propose IoTSTEED, a system running in edge routers to defend against Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices. IoTSTEED watches traffic that leaves and enters the home network, detecting IoT devices at home, learning the benign servers they talk to, and filtering their traffic to other servers as a potential DDoS attack.

• iotsteed-v1.0.tar.gz (2020-05-19); current release

SYNOPSIS

iotsteed -i/I PATH/IP -m PATH -k KEY -o FILE_PREF -r MACs [-e MACs] [-w IPs] [-p PREFIX ] [-s THRE] [-b THRE]

OPTIONS

-i/--input-pcap PATH

Input pcap file that iotsteed will read packet from and operate on (offline mode)

-I/--Input-interface IP

Interface IP that iotsteed will read packet from and operate on (online mode)

Note that only one of -i and -I should be used at one time.

-m/--mapping PATH

The csv file storing mapping between known IoT manufacuter (mftr) and IoT manufacuter collaborator (mrlv). (special mrlv: - means a mftr has no mrlv; null means a mftr has special non-existent mrlv)

-k/--key KEY

API key for OUI lookup at macaddress.io

-o/--output-prefix FILE_PREF

Prefix for output files for (1) device detected (2) server learnt (3) ddos packets dropped

-r/--router MACs

A list of comma-seperated MACs for LAN routers. We do not apply detection and learning to LAN routers.

-e/--exception MACs

A list of comma-seperated MACs for devices whose packets we ignore.

-w/--whitelisted_IPs IPs

A list of comma-seperated whitelisted server IP and prefixes: IP like 1.2.3.4, /24 prefix like 1.2.3, /16 prefix 1.2 and /8 prefix like 1. Default is ‘8.8.8.8,8.8.4.4’

-p/--prefix PREFIX

/24 prefix for the deployed access network (in format 1.2.3). Default is 192.168.1.

-s/--server-count-threshold THRE

Max number of distinct servers an IoT device should talk to. Default is 70

-b/--bootstrapping-threshold THRE

Duration of server bootstrapping (unit: hours). Default is 2,120. (2 hours for name-accessed servers and 120 hours for IP_accessed servers).

Compilation

1. Compile for linux computer

   Compile IoTSTEED with dynamically-linked library (see dependency for libraries)

    Make
   

   Compile IoTSTEED with statically-linked PcapPlusPlus and Faup library

    Make static
   

   Clean up compliation artifacts

    Make clean
   

2. Cross-compile for OpenWRT router

   Cross-compilaion is router-dependent. Please follow instructions on https://openwrt.org/docs/guide-developer/crosscompile

Dependency

• PcapPlusPlus: C++ wrapper for Libpcap (https://pcapplusplus.github.io/)
• Faup: Fast URL decoder library (https://github.com/stricaud/faup)
• Libpcap
• Libcurl
• Libpthread

Reference

• Hang Guo, John Heidemann. IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended). USC/ISI Technical Report ISI-TR-738. June 2020