The constant activity observed in Internet Background Radiation - IBR reveals a range of cybernetic traffic of interest for cyber security researchers. The use of network telescopes, honeypots and, more recently, cloud telescopes enable the capture of billions of network packets that can be analysed to discover attack patterns and detect emerging threats. This work reports a second experiment using a Cloud Telescope where 260 sensors were simultaneously deployed in twenty-six different Amazon Web Services regions to capture unsolicited traffic. This collection ran for 45 consecutive days starting in August 2023. We used a combination of default-passive behaviour along with active application-layer responders on TCP ports 23 and 80. This enabled detailed cyber threat intelligence on botnet activity, revealing attack patterns belonging to Mirai, Mozi and Sora botnets. We analyse traffic composition by protocol (TCP, UDP, ICMP), top ports, and radiation sources. The overall traffic volume per cloud region along side the most frequent payload download attempts; binary infection commands; HTTP request methods and user-agents. In total \(\approx \) 10 billion packets were collected. Our findings indicate a prevalence of botnet activity exploiting highly critical vulnerabilities on IoT devices disclosed in recent years. The cloud architecture is available as a Terraform artefact, while the dataset is available on IEEE Dataport. Our conclusion is that the Cloud Telescope provides an effective approach to capturing global samples of Internet Background Radiation.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Quantitative Analysis of Botnet Activity Within Internet Background Radiation as Observed by a Cloud Telescope

  • Fabricio Bortoluzzi,
  • Barry Irwin,
  • Lucas Silvero Beiler,
  • Carla Merkle Westphall

摘要

The constant activity observed in Internet Background Radiation - IBR reveals a range of cybernetic traffic of interest for cyber security researchers. The use of network telescopes, honeypots and, more recently, cloud telescopes enable the capture of billions of network packets that can be analysed to discover attack patterns and detect emerging threats. This work reports a second experiment using a Cloud Telescope where 260 sensors were simultaneously deployed in twenty-six different Amazon Web Services regions to capture unsolicited traffic. This collection ran for 45 consecutive days starting in August 2023. We used a combination of default-passive behaviour along with active application-layer responders on TCP ports 23 and 80. This enabled detailed cyber threat intelligence on botnet activity, revealing attack patterns belonging to Mirai, Mozi and Sora botnets. We analyse traffic composition by protocol (TCP, UDP, ICMP), top ports, and radiation sources. The overall traffic volume per cloud region along side the most frequent payload download attempts; binary infection commands; HTTP request methods and user-agents. In total \(\approx \) 10 billion packets were collected. Our findings indicate a prevalence of botnet activity exploiting highly critical vulnerabilities on IoT devices disclosed in recent years. The cloud architecture is available as a Terraform artefact, while the dataset is available on IEEE Dataport. Our conclusion is that the Cloud Telescope provides an effective approach to capturing global samples of Internet Background Radiation.