IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended)

Guo, Hang and Heidemann, John


Hang Guo and John Heidemann 2020. IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended). Technical Report ISI-TR-738. USC/Information Sciences Institute. [PDF]


We propose IoTSTEED, a system running in edge routers to defend against Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices. IoTSTEED watches traffic that leaves and enters the home network, \emphdetecting IoT devices at home, \emphlearning the benign servers they talk to, and \emphfiltering their traffic to other servers as a potential DDoS attack. We validate IoTSTEED’s accuracy and false positives (FPs) at detecting devices, learning servers and filtering traffic with replay of 10 days of benign traffic captured from an IoT access network. We show IoTSTEED correctly detects all 14 IoT and 6 non-IoT devices in this network (100% accuracy) and maintains low false-positive rates when learning the servers IoT devices talk to (flagging 2% benign servers as suspicious) and filtering IoT traffic (dropping only 0.45% benign packets). We validate IoTSTEED’s true positives (TPs) and false negatives (FNs) in filtering attack traffic with replay of real-world DDoS traffic. Our experiments show IoTSTEED mitigates all typical attacks, regardless of the attacks’ traffic types, attacking devices and victims; an intelligent adversary can design to avoid detection in a few cases, but at the cost of a weaker attack. Lastly, we deploy IoTSTEED in NAT router of an IoT access network for 10 days, showing reasonable resource usage and verifying our testbed experiments for accuracy and learning in practice.


  author = {Guo, Hang and Heidemann, John},
  title = {IoTSTEED: Bot-side Defense to {IoT}-based {DDoS} Attacks (Extended)},
  institution = {USC/Information Sciences Institute},
  year = {2020},
  sortdate = {2020-06-24},
  project = {ant, lacanic},
  jsubject = {topology_modeling},
  number = {ISI-TR-738},
  month = jun,
  location = {johnh: pafile},
  keywords = {ddos, iot, defense},
  url = {},
  otherurl = {},
  pdfurl = {},
  blogurl = {}