IoTSTEED
We propose IoTSTEED, a system running in edge routers to defend against Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices. IoTSTEED watches traffic that leaves and enters the home network, detecting IoT devices at home, learning the benign servers they talk to, and filtering their traffic to other servers as a potential DDoS attack.
SYNOPSIS
iotsteed -i/I PATH/IP -m PATH -k KEY -o FILE_PREF -r MACs
[-e MACs] [-w IPs] [-p PREFIX ] [-s THRE] [-b THRE]
OPTIONS
-i/--input-pcap
PATH
- Input pcap file that iotsteed will read packet from and operate on (offline mode)
-I/--Input-interface
IP
- Interface IP that iotsteed will read packet from and operate on (online mode)
Note that only one of -i and -I should be used at one time.
-m/--mapping
PATH
- The csv file storing mapping between known IoT manufacuter (mftr) and IoT manufacuter collaborator (mrlv).
(special mrlv: - means a mftr has no mrlv; null means a mftr has special non-existent mrlv)
-k/--key
KEY
- API key for OUI lookup at macaddress.io
-o/--output-prefix
FILE_PREF
- Prefix for output files for (1) device detected (2) server learnt (3) ddos packets dropped
-r/--router
MACs
- A list of comma-seperated MACs for LAN routers. We do not apply detection and learning to LAN routers.
-e/--exception
MACs
- A list of comma-seperated MACs for devices whose packets we ignore.
-w/--whitelisted_IPs
IPs
- A list of comma-seperated whitelisted server IP and prefixes:
IP like 1.2.3.4, /24 prefix like 1.2.3, /16 prefix 1.2 and /8 prefix like 1.
Default is ‘8.8.8.8,8.8.4.4’
-p/--prefix
PREFIX
- /24 prefix for the deployed access network (in format 1.2.3). Default is 192.168.1.
-s/--server-count-threshold
THRE
- Max number of distinct servers an IoT device should talk to. Default is 70
-b/--bootstrapping-threshold
THRE
- Duration of server bootstrapping (unit: hours). Default is 2,120.
(2 hours for name-accessed servers and 120 hours for IP_accessed servers).
Compilation
-
Compile for linux computer
Compile IoTSTEED with dynamically-linked library (see dependency for libraries)
Compile IoTSTEED with statically-linked PcapPlusPlus and Faup library
Clean up compliation artifacts
-
Cross-compile for OpenWRT router
Cross-compilaion is router-dependent. Please follow instructions on https://openwrt.org/docs/guide-developer/crosscompile
Dependency
- PcapPlusPlus: C++ wrapper for Libpcap (https://pcapplusplus.github.io/)
- Faup: Fast URL decoder library (https://github.com/stricaud/faup)
- Libpcap
- Libcurl
- Libpthread
Reference
- Hang Guo, John Heidemann. IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended). USC/ISI Technical Report ISI-TR-738. June 2020