Skip to main content
SpringerLink
Log in

The Carna Botnet Through the Lens of a Network Telescope

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8352))

Included in the following conference series:

Abstract

Earlier this year (2013), a massive dataset advertised as containing the result of a year-long exhaustive scan of the entire IPv4 address space was anonymously released into the wild under the rather provocative “Internet Census 2012” designation. While the subject matter of that dataset was in itself controversial, it was made even more so by the fact that its covert instigator also claimed to have temporarily assembled a 420 thousand nodes strong botnet from presumably unsecured embedded devices so as to perform the scan (aka the “Carna” botnet). In this paper, we relate our attempt to confirm the validity of that intriguing story based on the forensic analysis of the network traffic captured by our network telescope for the corresponding period of time (i.e. April 2012 to December 2012), share some of the observations that we made doing so and further discuss the potential repercussions of the creation and disclosure of such dataset.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    To be entirely correct, we also briefly peeked into the data concerning a series of arbitrary selected unrelated subnets in order to roughly confirm the “universality” of some of the observations that we made based on our restricted dataset.

References

  1. Internet Census 2012: Port Scanning /0 using Insecure Embedded Devices - Carna Botnet (Release). http://seclists.org/fulldisclosure/2013/Mar/166 (2013)

  2. Internet Census 2012: Port Scanning /0 Using Insecure Embedded Devices - Carna Botnet (Paper). http://internetcensus2012.bitbucket.org/ (2013)

  3. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement (IMC’04), New York, NY, USA, pp. 27–40. ACM (2004)

    Google Scholar 

  4. Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement (IMC’10), New York, NY, USA, pp. 62–74. ACM (2010)

    Google Scholar 

  5. Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: Proceedings of the 40th Annual Conference on Information Sciences and Systems (CISS’06), Washington, DC, USA, pp. 1496–1501. IEEE Computer Society (2006)

    Google Scholar 

  6. Moore, D., Shannon, C., Voelker, G., Savage, S.: Network telescopes: technical report. Technical report, Cooperative Association for Internet Data Analysis (CAIDA) (July 2004)

    Google Scholar 

  7. CAIDA: The UCSD Network Telescope. http://www.caida.org/projects/network_telescope/ (2012)

  8. Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS’05), pp. 167–179. The Internet Society (2005)

    Google Scholar 

  9. Team Cymru: The Darknet Project. https://www.team-cymru.org/Services/darknets.html (2013)

  10. Arbor Networks: ATLAS Dashboard. http://atlas.arbor.net/ (2013)

  11. Mahoney, M.: Zpaq. http://mattmahoney.net/dc/zpaq.html (2009)

  12. de Vivo, M., Carrasco, E., Isern, G., de Vivo, G.O.: A review of port scanning techniques. SIGCOMM Comput. Commun. Rev. 29(2), 41–48 (1999)

    Article  Google Scholar 

  13. Le Malécot, E.: MitiBox: camouflage and deception for network scan mitigation. In: Proceedings of the 4th USENIX Workshop on Hot Topics in Security (HotSec’09), Berkeley, CA, USA, pp. 4:1–4:6. USENIX Association (2009)

    Google Scholar 

  14. Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, USA (2009)

    Google Scholar 

  15. Greenwald, L.G., Thomas, T.J.: Toward undetected operating system fingerprinting. In: Proceedings of the 1st USENIX Workshop on Offensive Technologies (WOOT’07), Berkeley, CA, USA, pp. 6:1–6:10. USENIX Association (2007)

    Google Scholar 

  16. Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI’05), Berkeley, CA, USA, pp. 39–44. USENIX Association (2005)

    Google Scholar 

  17. Čeleda, P., Krejčí, R., Vykopal, J., Drašar, M.: Embedded malware - an analysis of the Chuck Norris botnet. In: Proceedings of the 2010 European Conference on Computer Network, Defense (EC2ND), pp. 3–10 (2010)

    Google Scholar 

  18. Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. In: Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots’07), Berkeley, CA, USA, pp. 2:1–2:9. USENIX Association (2007)

    Google Scholar 

  19. Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium (SSYM’04), Berkeley, CA, USA, pp. 1:1–1:14. USENIX Association (2004)

    Google Scholar 

  20. Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of passive internet threat monitors. In: Proceedings of the 14th USENIX Security Symposium (SSYM’05), Berkeley, CA, USA, pp. 209–224. USENIX Association (2005)

    Google Scholar 

  21. Burstein, A.J.: Conducting cybersecurity research legally and ethically. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET’08), Berkeley, CA, USA, pp. 8:1–8:8. USENIX Association (2008)

    Google Scholar 

  22. Bailey, M., Dittrich, D., Kenneally, E., Maughan, D.: The Menlo report. IEEE Secur. Priv. 10(2), 71–75 (2012)

    Article  Google Scholar 

  23. Matherly, J.: Shodan – Computer Search Engine. http://www.shodanhq.com/ (2009)

Download references

Acknowledgments

The authors would like to thank Jumpei Shimamura for his valuable comments and suggestions, and for the curating of some of the data used in this paper. Given the slightly controversial nature of this work, we should also stress that it was the subject of careful evaluation within our institution before publication.

Author information

Authors and Affiliations

  1. National Institute of Information and Communications Technology (NICT), 4-2-1 Nukui-Kitamachi, Koganei, Tokyo, 184-8795, Japan

    Erwan Le Malécot & Daisuke Inoue

Authors
  1. Erwan Le Malécot
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daisuke Inoue
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Erwan Le Malécot .

Editor information

Editors and Affiliations

  1. Dept. Commun. & Electronique, Télécom ParisTech, Paris, France

    Jean Luc Danger

  2. Concordia Institute for Information Syst Concordia University Research Chair Tier, Concordia University, Montreal, Québec, Canada

    Mourad Debbabi

  3. École des Mines, Nancy, France

    Jean-Yves Marion

  4. RST Department, Rm A105-2, Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  5. Dalhousie University, Halifax, Nova Scotia, Canada

    Nur Zincir Heywood

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Le Malécot, E., Inoue, D. (2014). The Carna Botnet Through the Lens of a Network Telescope. In: Danger, J., Debbabi, M., Marion, JY., Garcia-Alfaro, J., Zincir Heywood, N. (eds) Foundations and Practice of Security. FPS 2013. Lecture Notes in Computer Science(), vol 8352. Springer, Cham. https://doi.org/10.1007/978-3-319-05302-8_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05302-8_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05301-1

  • Online ISBN: 978-3-319-05302-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation