Hamza Parekh | 14173138

Abstract
Botnet Attacks pose a great risk to the internet infrastructure, as they employ simple IoT
devices like smart home appliances to carry large scale Distributed Denial-of-Service attacks.
Attacks like these are increasing at an alarming rate, with many variants of the successful Mirai
Botnet being created daily, potentially being able to disrupt access to crucial services and cause
economic and reputational loss to victims. To counter these malicious attacks, tactics including
Blockchain, and Machine Learning are being tested and analysed, however, these solutions are
cting IoT devices on a basic level. With cost and
feasibility in mind, I have proposed a scripting solution to harden IoT devices against malware
infection. Experimentation will be conducted, and the results will be analysed further.

Introduction
The Internet of Things is an all-encompassing term to describe a network of physical objects
equipped with internet connectivity, sensors, and software. These devices interconnect
seamlessly to exchange data and provide intelligent services to users. Our vehicles, home
appliances, phones and watches are all part of the IoT. The IoT market has exploded in recent
years, with many different applications ranging from smart cities, home automation, retail,
agriculture etc providing ease to individuals, communities, and businesses in a range of fields.
Due to this, there has been an immense adoption globally, with 125 Billion IoT devices
expected to be connected in 2030 [1].
However, the ubiquity of IoT and its continuous growth have created the perfect conditions for
the IoT Botnet formation [2]. Furthermore, IoT devices lack sufficient computing resources
and basic security protocols, which makes it especially easier for attackers to exploit these
vulnerable devices. Thus, the attacker (botmaster) can infect these devices with malware and
build their botnet army, remotely controlling them using a command and control (C&C) server
to launch large scale Distributed Denial-of-Service (DDoS or DoS if it comes from a single
source) attacks with limited effort.
In a DoS attack, the botmaster abuses the standard handshake method between a server and the
client and overwhelms target servers with unwanted requests, disrupting access to internet
services by exhausting resources from the target server, which results in legitimate users not
being able to establish new connections.
Alongside interfering access to services, Denial of service attacks also cause significant
financial loss and damaged reputation.
One of the most prominent examples of this is the infamous Mirai Botnet attack in October
2016 on Dyn, a dynamic domain name system (DNS) provider. The attack forced many web
services to stop, including Github and Twitter [1]. It was estimated that 100,000+ devices
were used to launch the attack against Dyn's Managed DNS infrastructure. It is predicted that
1.2 Tbps of traffic was being direct at Dyn. [3]. Attacks like these have indicated the
importance of implementing security systems in IoT devices, as they have the potential to
cause severe damage to the internet. Nokia Threat Intelligence Report estimates that IoT
botnets accounted for 78% of malicious activities in 2018 [4]. The real threat to IoT and the
internet is the generation of Mirai Botnet variants daily, inflicting real damage using the same
intrusion methods as the original malware.

Current Solutions
PUF-Based Access Management
This specific solution uses a Static Random-access-memory (SRAM) based Physically
Unclonable Function (PUF) to uniquely identify every IoT device by utilising unique physical
variations that occur naturally during manufacturing, enabling traceability and reliable
identification of each device.
IoT devices generally have a small SRAM capacity and embedded processors, which makes
PUFs an ideal method of generating device IDs as they
not complex. These IDs will be stored in a permissioned blockchain service, which is created
and maintained by a group of trusted IoT manufacturers and/or by a blockchain service
provider. Blockchain is used in this solution to verify IoT devices by comparing their IDs and
All devices that are cloned, tampered or malicious in nature will be identified, thus preventing
them from becoming part of a botnet.
However, blockchain is resource-intensive, which leads to poor performance. Furthermore, the
storing of unnecessary data and waste of storage is also a big problem that cannot be removed
due to the decentralization of blockchain being built upon the collaborative recording [4].
Traffic Control Based on the Verification of Transactions
Traffic control-based solutions revolve primarily around monitoring and validating outgoing
transactions to prevent devices from joining the botnet and subsequently launching DDoS
attacks.
In this solution, the blockchain first identifies whether a device is malicious or normal. Then
all the outgoing transactions will be verified through smart contracts, which is a program that
is stored in the blockchain and is automatically run when conditions are met. If the
transaction/traffic is not in line with the security policy in the smart contract, it will be denied.
When the attacker attempts to gain access to a device and infect it, the illegal transactions can
be rejected, thus the victim will be protected from the attack.
While the advantage of this solution is that no additional resources are required for the
blockchain, there is no measure in place to secure smart contracts, which the solution is heavily
dependent on to verify transactions.

Proposed Solutions
I propose the use of hardening scripts for IoT devices to prevent the botnet from loading the
Mirai malware onto the device. This is created with the pressing need for feasibility, simplicity,
and cost-efficiency in mind. Two scripts will be presented in this solution, one of them will be
a python script and the other a bash script.
The python script is used to strengthen IoT devices from Mirai. It will achieve this by making
several configuration changes. Some of these include
using the change_passwd_telnet() function, which will randomly generate a new password for
the IoT device admin. The mentioned python function definition is demonstrated below

Figure 1. change_passwd_telnet() function

Source: Protecting IoT from Mirai Botnets; IoT device hardening

replace_busybox() function will replicate the current BusyBox binary onto the device. Then
the script will create a BusyBox (an embedded version of Linux) wrapper to filter applets that
Mirai uses by detecting the malicious commands that are executed by the Mirai loader to the
victim. To stop the Mirai infection, the commands will falsely return a success despite being
prevented from being executed on the device. The function is shown below.

Figure 2. replace_busybox() function

Source: Protecting IoT from Mirai Botnets; IoT device hardening

Alongside the configuration changes the script will make to prevent the IoT device from
becoming infected, it will also upload an Almquist shell script (ash script) called secure.sh via
upload_run_script() unction. The ash script will continuously try to identify any indication
of Mirai in the system and will subsequently react by halting the malware from running as soon
as it is identified. When a bot is infected, it will open a connection back to the C&C on port
23, whilst also running 3 processes with the same name. The ash script checks /proc/net/tcp for
any socket with a remote connection established to port 23 (0x17). Upon finding it, it will
locate the . Consequently, it will halt
the Mirai infection and cut all communication with the C&C server by sending a SIGKILL
signal to each process that has the same name,
Figure 3. upload_run_script() function
Source: Protecting IoT from Mirai Botnets; IoT device hardening

Figure 4. secure.sh script

Source: Protecting IoT from Mirai Botnets; IoT device hardening

Other actions the script will do is change the logon banner and then implement /etc/host.deny.
When a client attempts to connect to a network service on a remote system, the host.deny file
is used to block client access, effectively blocking the attacker from gaining access to the
system.
Experimentation Analysis

Testing Scenario
In my test environment, I will be running Virtual Machines on a private network, isolated from
the public internet, each containing private IP addresses. Software known as Vagrant will be
used for testing, where a vagrant file will be used for the creation of the VMs and the private
networks.
The simulation will consist of two VMs. The first one will be the Mirai server which contains
the loader and C&C, and the second VM will be the IoT device running Ubuntu 14.04 with
BusyBox. This VM w will be purposefully configured
with a default password and username to make the simulation more realistic. Throughout each
test, I will be manually executing the loader to attempt to infect the second VM with Mirai.

Figure 5. Test Set up

The python script will change several configurations to prevent the device from becoming

monitor for the Mirai malware running, and upon finding it, the script will effectively remove
and break all communications with the C&C. These two scripts should theoretically strengthen
the IoT device to avoid it from becoming part of the botnet.
Result

Figure 6. Expected Flow

Functions Expected Result Actual Result

Change password Uninfected True

Upload ash Script Infected and then removed True

Wrap BusyBox Applets Uninfected True

Change banner Uninfected False

Change service port Uninfected True

Figure 7. Expected vs Actual Result

Discussion
My hardening scripts were tested to assess the effectiveness against common attack methods
like brute-forcing default passwords and infecting the IoT device with Mirai malware
afterwards. by changing the weak
password that was on the IoT device to a randomly-generated alphanumeric one. This was an

for immediate creation and deployment of the BusyBox

wrapper, which detected and filtered applets used by Mirai to download its binary onto the IoT
device, thus successfully deterring infection
as very successful in identifying Mirai and then effectively
removing the Malware and cutting communication of the target device with the C&C.
In my testing, the python script produced results that were mostly in line with the expected
results, however, the changing banner functionality failed in protecting the device in my
testing. Mirai inspects login prompts such as $, :, #, which is provided by telnetd/sshd. Many
methods can be used to change the login prompt. Changing the banner (through /etc/motd,
/etc/issue, /etc/issue.net) did not prevent infection. Mirai evaluates the login prompts offered
by telnetd/sshd, such as $,:, #, and so on. There are various techniques for modifying the login
prompt based on the platform, as well as available commands and configurations on the host,
making implementation within a short space of time unreasonable. Although altering the
default service port stopped the infection, it did not prevent a port scan from identifying new
listening port. Service detection in conjunction with banner return may provide extra
obfuscation (not tested). Logically, any combination of various hardening approaches deployed
to a viable host would provide improved protection within their constraints, resulting in a multi-
faceted defence strategy.
Not all functionality was incorporated due to platform and time limitations. For instance, the
change user function was not implemented due to time and platform constraints. This included
the inability to modify or disable the root user while simultaneously not impacting the
functionality of the device, therefore constituting a time limitation.

Summary
The Internet of Things is an ever-growing platform that has provided ease and comfort in a
range of applications. However, due to the rapid development and deployment of IoT devices
and their inherent vulnerabilities, they serve as a perfect medium for attackers to launch DDoS
operations at a sizeable scale. Current solutions that involve blockchain are promising, but
they are resource-intensive, which is an undesirable trait, especially in IoT devices. Based on
this, I wanted to propose a solution that would equip IoT devices with basic security protocols
that would be will efficient, economical, and reasonable for IoT manufacturers to implement.
As discussed, my solution involves two scripts, the first one is a python script that makes
several configuration changes and the other one is an ash script that continuously searches for
any presence of Mirai. Throughout my testing, the results were very promising with many of
the implemented systems working as expected by successfully stopping the infection.
However, more time needs to be given to devising a way to implement functionalities that were
not present currently. In addition, more rigorous testing must also be completed before any
widespread adoption of these hardening scripts.
References
1. Shah, Z., et al., Blockchain Based Solutions to Mitigate Distributed Denial of Service
(DDoS) Attacks in the Internet of Things (IoT): A Survey. Sensors (Basel, Switzerland),
2022. 22(3): p. 1094.
2. Kolias, C., et al., DDoS in the IoT: Mirai and Other Botnets. Computer (Long Beach,
Calif.), 2017. 50(7): p. 80-84.
3. Scott Sr, J. and W. Summit, Rise of the machines: The dyn attack was just a practice
run december 2016. Institute for Critical Infrastructure Technology, Washington, DC,
USA, 2016.
4. Cui, P. and U. Guin. Countering botnet of things using blockchain-based authenticity
framework. in 2019 IEEE computer society annual symposium on VLSI (ISVLSI). 2019.
IEEE.