IoTSTEED: bot-side defense to IoT-based DDoS attacks from edge router


We propose IoTSTEED, a system running in edge routers to defend against Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices. IoTSTEED watches traffic that leaves and enters the home network, detecting IoT devices at home, learning the benign servers they talk to, and filtering their traffic to other servers as a potential DDoS attack.


iotsteed -i/I PATH/IP -m PATH -k KEY -o FILE_PREF -r MACs [-e MACs] [-w IPs] [-p PREFIX ] [-s THRE] [-b THRE]


-i/--input-pcap PATH
Input pcap file that iotsteed will read packet from and operate on (offline mode)
-I/--Input-interface IP
Interface IP that iotsteed will read packet from and operate on (online mode)

Note that only one of -i and -I should be used at one time.

-m/--mapping PATH
The csv file storing mapping between known IoT manufacuter (mftr) and IoT manufacuter collaborator (mrlv). (special mrlv: - means a mftr has no mrlv; null means a mftr has special non-existent mrlv)
-k/--key KEY
API key for OUI lookup at
-o/--output-prefix FILE_PREF
Prefix for output files for (1) device detected (2) server learnt (3) ddos packets dropped
-r/--router MACs
A list of comma-seperated MACs for LAN routers. We do not apply detection and learning to LAN routers.
-e/--exception MACs
A list of comma-seperated MACs for devices whose packets we ignore.
-w/--whitelisted_IPs IPs
A list of comma-seperated whitelisted server IP and prefixes: IP like, /24 prefix like 1.2.3, /16 prefix 1.2 and /8 prefix like 1. Default is ‘,’
-p/--prefix PREFIX
/24 prefix for the deployed access network (in format 1.2.3). Default is 192.168.1.
-s/--server-count-threshold THRE
Max number of distinct servers an IoT device should talk to. Default is 70
-b/--bootstrapping-threshold THRE
Duration of server bootstrapping (unit: hours). Default is 2,120. (2 hours for name-accessed servers and 120 hours for IP_accessed servers).


  1. Compile for linux computer

    Compile IoTSTEED with dynamically-linked library (see dependency for libraries)


    Compile IoTSTEED with statically-linked PcapPlusPlus and Faup library

     Make static

    Clean up compliation artifacts

     Make clean
  2. Cross-compile for OpenWRT router

    Cross-compilaion is router-dependent. Please follow instructions on


  • PcapPlusPlus: C++ wrapper for Libpcap (
  • Faup: Fast URL decoder library (
  • Libpcap
  • Libcurl
  • Libpthread


  • Hang Guo, John Heidemann. IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended). USC/ISI Technical Report ISI-TR-738. June 2020