Botconf Author Listing

The past decade has seen the proliferation of Botnets that propagate by scanning the Internet for vulnerable devices. This diffusion has been fueled by the poor adoption of security practices in IoT devices, such as weak default passwords and sporadic software updates, as well as the popularization of tools for fast scanning of the entire IPv4 address space. The capabilities of this threat have been showcased multiple times, in particular through Distributed Denial of Service (DDoS) attacks aimed at major institutions like news outlets and DNS providers. With the public release of the Mirai source code in 2016, the popularity of botnets has reached a new peak, leading to the appearance of a vast number of more or less successful malware variants based on the original. In an Internet landscape still largely populated by vulnerable devices, it is therefore critical for security practitioners to keep up with the latest developments of Botnets together with the Tactics, Techniques and Procedures they might introduce.

With this presentation, we outline a months-long study of the Gorilla Botnet that combines the deployment of IoT Honeypots, monitoring of live samples from a sandboxed environment, and analysis of Internet scans collected in a large darknet. We show the targets of the attacks and the potential attack sizes, and investigate the behavior of targets under attack. The victimization of this botnet shows how a DDoS-as-a-Service is used and what common targets for such networks are. The sheer amount of DDoS attacks performed by this network is staggering, and we aim to investigate whether these attacks are successful.

During the presentation, we will outline the datasets that we are using to track the gorilla botnet operations and will share key insights learnt from the DDoS attacks performed by clients of the botnet. The presentation focusses on tracking the botnet, its attacks, and estimating the impact of the attacks.