A methodological approach for assessing amplified reflection distributed denial of service on the internet of things

Sensors (Switzerland)

Volumn 16, Issue 11, 2016, Pages

  Gondim, João José Costa ^a   de Oliveira Albuquerque, Robson ^a   Nascimento, Anderson Clayton Alves ^a,b   Villalba, Luis Javier García ^c   Kim, Tai Hoon ^d  

^a UNIVERSITY OF BRASILIA   (Brazil)

^b UNIVERSITY OF WASHINGTON   (United States)

^c UNIVERSIDAD COMPLUTENSE DE MADRID   (Spain)

^d Sungshin Women's University   (South Korea)

Author keywords

Amplified reflection; Distributed denial of service; Pentest; Risk management; Vulnerability assessment

Indexed keywords

ACCESS CONTROL; COMPUTER CRIME; DATA PRIVACY; INTERNET OF THINGS; NETWORK SECURITY; RISK ASSESSMENT; RISK MANAGEMENT; WEB SERVICES;

CONTROLLED ENVIRONMENT; DISTRIBUTED DENIAL OF SERVICE; DISTRIBUTED DENIAL OF SERVICE ATTACK; INTERNET OF THINGS (IOT); METHODOLOGICAL APPROACH; PENTEST; STANDARDIZED PROCEDURE; VULNERABILITY ASSESSMENTS;

DENIAL-OF-SERVICE ATTACK;

EID: 84995489061     PISSN: 14248220     EISSN: None     Source Type: Journal    
DOI: 10.3390/s16111855     Document Type: Article

References (56)

1. Allen, N. Cybersecurity Weaknesses Threaten to Make Smart Cities More Costly and Dangerous Than Their Analog Predecessors. Available online: http://eprints.lse.ac.uk/65816/ (accessed on 10 May 2016).
2. Wueest, C. The Continued Rise of DDoS Attacks. 2014. Available online: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf (accessed on 10 May 2016).
3. Jackson, W. How Hackers Can Turn the Internet of Things into a Weapon; GCN: Public Sector Media Group: Vienna, VA, USA; 2013. Available online: https://gcn.com/blogs/cybereye/2013/05/how-hackers-turninternet- of-things-into-weapon.aspx (accessed on 10 May 2016).
4. Cox, R. 5 Notorious DDoS Attacks in 2013: Big Problem for the Internet of Things; SiliconANGLE Media Inc.: Palo Alto, CA, USA; 2013. Available online: http://siliconangle.com/blog/2013/08/26/5-notorious-ddosattacks- in-2013-big-problem-for-the-internet-of-things/ (accessed on 10 May 2016).
5. Sharon, S. 2015 DDoS Attacks on the Rise, Attackers Shift Tactics; TechTarget Network: Newton, MA, USA; 2015. Available online: http://searchsecurity.techtarget.com/news/4500246858/2015-DDoS-attacks-on-therise- attackers-shift-tactics (accessed on 10 May 2016).
6. Toms, L. Closed for Business–The Impact of Denial of Service Attacks in the IoT; GlobalSign GMO Internet Group: Portsmouth, NH, USA; 2016. Available online: https://www.globalsign.com/en/blog/denial-of-service-inthe- iot/ (accessed on 10 May 2016).
7. Spafford, E.H. The InternetWorm Program: An Analysis. SIGCOMM Comput. Commun. Rev. 1989, 19, 17–57.
8. Stoll, C. The Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage; Doubleday: New York, NY, USA, 1989.
9. Kumar, S.A.; Vealey, T.; Srivastava, H. Security in Internet of Things: Challenges, Solutions and Future Directions. In Proceedings of the 2016 49th Hawaii International Conference on System Sciences (HICSS), Koloa, HI, USA, 5–8 January 2016; pp. 5772–5781.
10. Yu, T.; Sekar, V.; Seshan, S.; Agarwal, Y.; Xu, C. Handling a Trillion (Unfixable) Flaws on a Billion Devices: Rethinking Network Security for the Internet-of-Things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks, Philadelphia, PA, USA, 16–17 November 2015; ACM: New York, NY, USA, 2015; pp. 5:1–5:7.
11. Elkhodr, M.; Shahrestani, S.; Cheung, H. The Internet of Things: New Interoperability, Management and Security Challenges. Int. J. Netw. Secur. Its Appl. 2016, 8, 85–102.
12. Cvitic, I.; Vujic, M.; Husnjak, S. Classification of Security Risks in the IoT Environment. In Proceedings of the 26th DAAAM International Symposium on Intelligent Manufacturing and Automation, Zadar, Croatia, 21–24 October 2015.
13. Xylogiannopoulos, K.; Karampelas, P.; Alhajj, R. Real Time Early Warning DDoS Attack Detection. In Proceedings of the 11th International Conference on Cyber Warfare and Security, Boston, MA, USA, 17–18 March 2016; Academic Conferences and Publishing International Limited: Montreal, QC, Canada, 2016; p. 344.
14. Pa, Y.M.P.; Suzuki, S.; Yoshioka, K.; Matsumoto, T.; Kasama, T.; Rossow, C. IoTPOT: A Novel Honeypot for Revealing Current IoT Threats. J. Inf. Process. 2016, 24, 522–533.
15. Arış, A.; Oktuğ, S.F.; Yalçın, S.B.Ö. Internet-of-Things security: Denial of service attacks. In Proceedings of the 2015 23nd Signal Processing and Communications Applications Conference (SIU), Malatya, Turkey, 16–19 May 2015; pp. 903–906.
16. Pras, A.; Santanna, J.J.; Steinberger, J.; Sperotto, A. DDoS 3.0–How terrorists bring down the Internet. In Measurement, Modelling and Evaluation of Dependable Computer and Communication Systems; Springer: Heidelberg, Germany, 2016; pp. 1–4.
17. Sonar, K.; Upadhyay, H. An Approach to Secure Internet of Things Against DDoS. In Proceedings of the International Conference on ICT for Sustainable Development: ICT4SD, Ahmedabad, India, 3–4 July 2015; Springer: Heidelberg, Germany, 2016; Volume 2, pp. 367–376.
18. Zhang, C.; Green, R. Communication Security in Internet of Thing: Preventive Measure and Avoid DDoS Attack over IoT Network. In Proceedings of the 18th Symposium on Communications & Networking, Alexandria, VA, USA, 12–15 April 2015; Society for Computer Simulation International: San Diego, CA, USA, 2015; pp. 8–15.
19. Furfaro, A.; Malena, G.; Molina, L.; Parise, A. A Simulation Model for the Analysis of DDoS Amplification Attacks. In Proceedings of the 17th USKSIM-AMSS International Conference on Modelling and Simulation, Cambridge, UK, 25–27 March 2015; pp. 267–272.
20. Hu, F. Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations; CRC Press: Boca Raton, FL, USA, 2016.
21. Sgouras, K.I.; Birda, A.D.; Labridis, D.P. Cyber attack impact on critical Smart Grid infrastructures. In Proceedings of the 2014 IEEE PES Innovative Smart Grid Technologies Conference (ISGT), Washington, DC, USA, 19–22 February 2014; pp. 1–5.
22. Solis, P.; Pacheco, L.; Gondim, J.; Alchieri, E. Evaluation of Distributed Denial of Service Threat in the Internet of Things. In Proceedings of the 2016 IEEE 15th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, 31 October–2 November 2016; IEEE: New York, NY, USA, 2016.
23. Nagpal, B.; Sharma, P.; Chauhan, N.; Panesar, A. DDoS tools: Classification, analysis and comparison. In Proceedings of the 2015 2nd International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India, 11–13 March 2015, pp. 342–346.
24. Arukonda, S.; Sinha, S. The innocent perpetrators: Reflectors and reflection attacks. Adv. Comput. Sci. 2015, 4, 94–98.
25. Bright, P. Spamhaus DDoS Grows to Internet-Threatening Size. 2013. Available online: http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-internetthreatening-size/ (accessed on 12 May 2016).
26. Prince, M. The DDoS That Knocked Spamhaus Offline (and HowWe Mitigated It). 2013. Available online: https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/ (accessed on 12 May 2016).
27. US-CERT. Alert (TA14-017A UDP-Based Amplification Attacks). 2014. Available online: https://www.uscert.gov/ncas/alerts/TA14-017A (accessed on 12 May 2016).
28. Goodin, D. Record-Breaking DDoS Reportedly Delivered by >145 k Hacked Cameras. 2016. Available online: http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliverinternets- biggest-ddos-ever/ (accessed on 9 October 2016).
29. Herzog, P. Open Source Security Testing Methodology Manual (OSSTMM). Available online: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance:March_2015.pdf (accessed on 9 August 2016).
30. Penetration Testing Execution Standard: Penetration Testing Execution Standard. Available online: http://www.pentest-standard.org (accessed on 9 August 2016).
31. SANS Institute. Conducting a Penetration Test on an Organization. Available online: http://resources.infosecinstitute.com/penetration-testing-methodology-web-applications/ (accessed on 9 August 2016).
32. OWASP Testing Guide. Available online: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents (accessed on 9 August 2016).
33. Conducting a Penetration Test on an Organization. Available online: http://www.sans.org/reading-room/whitepapers/auditing/conducting-penetration-test-organization-67 (accessed on 9 August 2016).
34. PCI Data Security Standard (PCI DSS), Information Supplement: Penetration Testing Guidance, Version: 1.0. Available online: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance: March_2015.pdf (accessed on 9 August 2016).
35. Alisherov, F.; Sattarova, F. Methodology for Penetration Testing. Int. J. Grid Distrib. Comput. 2009, 2, 43–50.
36. Scarfone, K.A.; Souppaya, M.P.; Cody, A.; Orebaugh, A.D. SP 800-115. Technical Guide to Information Security Testing and Assessment; Technical Report; NIST: National Institute of Standards and Technology, US Department of Commerce: Gaithersburg, MD, USA, 2008.
37. Shewhart, W.A. Statistical Method from the Viewpoint of Quality Control; Courier Corporation: North Chelmsford, MA, USA, 1939.
38. Deming, W.E. Out of the Crisis; MIT Center for Advanced Engineering Study; MIT Press: Cambridge, MA, USA, 1986.
39. Boyd, J.R. Patterns of Conflict; Unpublished briefing, 1986. Available online: http://www.dnipogo.org/ boyd/pdf/poc.pdf (accessed on 20 October 2015).
40. Boyd, J.R. A Discourse on Winning and Losing; Unpublished briefing, 1996. Available online: http://dnipogo.org/john-r-boyd/ (accessed on 20 October 2015).
41. McDowell, M. Understanding Denial-of-Service Attacks; Technical Report; US Department of Homeland Security: Washington, DC, USA, 2009.
42. Damon, E.; Dale, J.; Laron, E.; Mache, J.; Land, N.; Weiss, R. Hands-on Denial of Service Lab Exercises Using SlowLoris and RUDY. In Proceedings of the 2012 Information Security Curriculum Development Conference; Kennesaw, GA, USA, 12–13 October 2012; ACM: New York, NY, USA, 2012; pp. 21–29.
43. Kenney, M. Ping of Death. 1996. Available online: http://insecure.org/sploits/ping-o-death.html (accessed on 21 October 2014).
44. Paxson, V. An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks. ACM SIGCOMM Computer Commun. Rev. 2001, 31, 38–47.
45. Ali, F. IP Spoofing. The Internet Journal, vol. 10, no. 4, Dec 2007. Cisco Press: San Jose, CA USA. Available online: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html (accessed on 20 October 2015).
46. Rossow, C. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, CA, USA, 23–26 February 2014.
47. Allweyer, T. BPMN 2.0: Introduction to the Standard for Business Process Modeling; ISBN-10: 383709331X, ISBN-13: 978-3837093315 BoD–Books on Demand; Stoughton, WI, USA, 2010.
48. Transactional Process–Construction: Bizagi Process Modeler. Available online: http://www.bizagi.com (accessed on 20 October 2014).
49. Shelby, Z.; Hartke, K.; Bormann, C. The Constrained Application Protocol (CoAP); RFC 7959; Internet Engineering Task Force (IETF): Fremont, CA, USA, 2014.
50. UPnP Forum. UPnP Device Architecture Version 1.0, Revised on 24 April 2008. (Open Conectivity Foundation: Beaverton, OR, USA.) Available online: http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.0-20080424.pdf (accessed on 20 October 2015).
51. Case, J.; Fedor, M.; Schoffstall, M.; Davin, J. Simple Network Management Protocol (SNMP); RFC 1157 (Historic); Internet Engineering Task Force (IETF): Fremont, CA, USA, 1990.
52. Prolexic. Threat Advisory: SNMP Reflection DDoS Attacks. 2015. Available online: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/snmp-reflector-attacks-threat-advisory.pdf (accessed on 15 May 2015).
53. Blumenthal, U.; Wijnen, B. User-based Security Model (USM) for Version 3 of the Simple Network Management Protocol (SNMPv3); RFC 3414; Internet Engineering Task Force (IETF): Fremont, CA, USA, 2002.
54. Case, J.; McCloghrie, K.; Rose, M.; Waldbusser, S. Introduction to Community-Based SNMPv2; RFC 1901; Internet Engineering Task Force (IETF): Fremont, CA, USA, 1996.
55. Open SNMP Scanning Project. 2016. Available online: https://snmpscan.shadowserver.org (accessed on 10 January 2016).
56. Wireshark Foundation. 2015. Available online: https://www.wireshark.org (accessed on 15 October 2015).