Abstract
Earlier this year (2013), a massive dataset advertised as containing the result of a year-long exhaustive scan of the entire IPv4 address space was anonymously released into the wild under the rather provocative “Internet Census 2012” designation. While the subject matter of that dataset was in itself controversial, it was made even more so by the fact that its covert instigator also claimed to have temporarily assembled a 420 thousand nodes strong botnet from presumably unsecured embedded devices so as to perform the scan (aka the “Carna” botnet). In this paper, we relate our attempt to confirm the validity of that intriguing story based on the forensic analysis of the network traffic captured by our network telescope for the corresponding period of time (i.e. April 2012 to December 2012), share some of the observations that we made doing so and further discuss the potential repercussions of the creation and disclosure of such dataset.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To be entirely correct, we also briefly peeked into the data concerning a series of arbitrary selected unrelated subnets in order to roughly confirm the “universality” of some of the observations that we made based on our restricted dataset.
References
Internet Census 2012: Port Scanning /0 using Insecure Embedded Devices - Carna Botnet (Release). http://seclists.org/fulldisclosure/2013/Mar/166 (2013)
Internet Census 2012: Port Scanning /0 Using Insecure Embedded Devices - Carna Botnet (Paper). http://internetcensus2012.bitbucket.org/ (2013)
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement (IMC’04), New York, NY, USA, pp. 27–40. ACM (2004)
Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement (IMC’10), New York, NY, USA, pp. 62–74. ACM (2010)
Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: Proceedings of the 40th Annual Conference on Information Sciences and Systems (CISS’06), Washington, DC, USA, pp. 1496–1501. IEEE Computer Society (2006)
Moore, D., Shannon, C., Voelker, G., Savage, S.: Network telescopes: technical report. Technical report, Cooperative Association for Internet Data Analysis (CAIDA) (July 2004)
CAIDA: The UCSD Network Telescope. http://www.caida.org/projects/network_telescope/ (2012)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS’05), pp. 167–179. The Internet Society (2005)
Team Cymru: The Darknet Project. https://www.team-cymru.org/Services/darknets.html (2013)
Arbor Networks: ATLAS Dashboard. http://atlas.arbor.net/ (2013)
Mahoney, M.: Zpaq. http://mattmahoney.net/dc/zpaq.html (2009)
de Vivo, M., Carrasco, E., Isern, G., de Vivo, G.O.: A review of port scanning techniques. SIGCOMM Comput. Commun. Rev. 29(2), 41–48 (1999)
Le Malécot, E.: MitiBox: camouflage and deception for network scan mitigation. In: Proceedings of the 4th USENIX Workshop on Hot Topics in Security (HotSec’09), Berkeley, CA, USA, pp. 4:1–4:6. USENIX Association (2009)
Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, USA (2009)
Greenwald, L.G., Thomas, T.J.: Toward undetected operating system fingerprinting. In: Proceedings of the 1st USENIX Workshop on Offensive Technologies (WOOT’07), Berkeley, CA, USA, pp. 6:1–6:10. USENIX Association (2007)
Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI’05), Berkeley, CA, USA, pp. 39–44. USENIX Association (2005)
Čeleda, P., Krejčí, R., Vykopal, J., Drašar, M.: Embedded malware - an analysis of the Chuck Norris botnet. In: Proceedings of the 2010 European Conference on Computer Network, Defense (EC2ND), pp. 3–10 (2010)
Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. In: Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots’07), Berkeley, CA, USA, pp. 2:1–2:9. USENIX Association (2007)
Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium (SSYM’04), Berkeley, CA, USA, pp. 1:1–1:14. USENIX Association (2004)
Shinoda, Y., Ikai, K., Itoh, M.: Vulnerabilities of passive internet threat monitors. In: Proceedings of the 14th USENIX Security Symposium (SSYM’05), Berkeley, CA, USA, pp. 209–224. USENIX Association (2005)
Burstein, A.J.: Conducting cybersecurity research legally and ethically. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET’08), Berkeley, CA, USA, pp. 8:1–8:8. USENIX Association (2008)
Bailey, M., Dittrich, D., Kenneally, E., Maughan, D.: The Menlo report. IEEE Secur. Priv. 10(2), 71–75 (2012)
Matherly, J.: Shodan – Computer Search Engine. http://www.shodanhq.com/ (2009)
Acknowledgments
The authors would like to thank Jumpei Shimamura for his valuable comments and suggestions, and for the curating of some of the data used in this paper. Given the slightly controversial nature of this work, we should also stress that it was the subject of careful evaluation within our institution before publication.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Le Malécot, E., Inoue, D. (2014). The Carna Botnet Through the Lens of a Network Telescope. In: Danger, J., Debbabi, M., Marion, JY., Garcia-Alfaro, J., Zincir Heywood, N. (eds) Foundations and Practice of Security. FPS 2013. Lecture Notes in Computer Science(), vol 8352. Springer, Cham. https://doi.org/10.1007/978-3-319-05302-8_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-05302-8_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05301-1
Online ISBN: 978-3-319-05302-8
eBook Packages: Computer ScienceComputer Science (R0)