Detecting IoT Devices in the Internet (Extended)

Detecting IoT Devices in the Internet (Extended)

Guo, Hang and Heidemann, John

Hang Guo and John Heidemann 2018. Detecting IoT Devices in the Internet (Extended). Technical Report ISI-TR-726. USC/Information Sciences Institute.


Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. We have developed these approaches with 10 device models from 7 vendors. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. Our IP-based algorithms see at least 35 IoT devices on a college campus, and 122 IoT devices in customers of a regional IXP. We apply our DNS-based algorithm to traffic from 5 root DNS servers from 2013 to 2018, finding huge growth (about 7\times) in ISP-level deployment of 26 device types. DNS also shows similar growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.


  author = {Guo, Hang and Heidemann, John},
  title = {Detecting IoT Devices in the Internet (Extended)},
  institution = {USC/Information Sciences Institute},
  year = {2018},
  sortdate = {2018-07-16},
  project = {ant, lacanic},
  jsubject = {topology_modeling},
  number = {ISI-TR-726},
  month = jul,
  location = {johnh: pafile},
  keywords = {iot, detection, traffic analysis},
  url = {},
  pdfurl = {},
  blogurl = {}