Can ISPs help mitigate IoT malware? A longitudinal study of broadband ISP security efforts

Arman Noroozian*, Elsa Turcios Rodriguez, Elmer Lastdrager, Takahiro Kasama, Michel Van Eeten, Carlos H. Gañán

*Corresponding author for this work

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

1 Citation (Scopus)
9 Downloads (Pure)

Abstract

For the mitigation of compromised Internet of Things (IoT) devices we rely on Internet Service Providers (ISPs) and their users. Given that devices are in the hands of their subscribers, what can ISPs realistically do? This study examines the effects of ISP countermeasures on infections caused by variants of the notorious Mirai family of IoT malware, still among the dominant families. We collect and analyze more than 4 years of longitudinal darknet data tracking Mirai-like infections in conjunction with threat intelligence data on various other IoT and non-IoT botnets across the globe from January 2016 to May 2020. We measure the effect of two ISP countermeasures on Mirai variant infection numbers: (i) reducing the attack surface (i.e., closing ports that are used by the malware for propagation) and (ii) ISPs increasing their general network hygiene and malware removal efforts (as observed by proxy of the remediation of infections of other families of IoT and non-IoT malware and reductions in the number of DDoS amplifiers in their networks). We map our infection data to 342 broadband providers that have the bulk of the broadband market share in their respective 83 countries. We find that the number of infections correlates strongly with the number of ISP subscribers (R2=0.55$). Yet, infection numbers can still vary by three orders of magnitude even for ISPs with comparable subscriber numbers. We observe that many ISPs, together with their subscribers, have reduced their attack surface for IoT compromise by blocking traffic to commonly-exploited infection vectors such as Telnet and FTP. We statistically estimate the impact of these reductions on infection levels and, counter-intuitively, find no significant impact. In contrast, we do find a significant impact for improving general network hygiene and best malware mitigation practices. ISPs that were more successful in reducing DDoS amplifiers and non-Mirai malware infections in their networks also end up with significantly lower Mirai infection rates. In other words, rather than investing in IoT-specific countermeasures like reducing the attack surface, our findings suggest that ISPs might be better off investing in general security efforts to improve network hygiene and clean up abuse.
Original languageEnglish
Title of host publicationProceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages337-352
Number of pages16
ISBN (Electronic)9781665414913
DOIs
Publication statusPublished - 2021
Event6th IEEE European Symposium on Security and Privacy, Euro S and P 2021 - Virtual, Online, Austria
Duration: 6 Sep 202110 Sep 2021

Conference

Conference6th IEEE European Symposium on Security and Privacy, Euro S and P 2021
Country/TerritoryAustria
CityVirtual, Online
Period6/09/2110/09/21

Bibliographical note

Accepted author manuscript

Keywords

  • Countermeasure
  • Internet of Things
  • IoT
  • ISP
  • Malware
  • Mirai
  • Remediation

Fingerprint

Dive into the research topics of 'Can ISPs help mitigate IoT malware? A longitudinal study of broadband ISP security efforts'. Together they form a unique fingerprint.

Cite this