Could you clean up the Internet with a Pit of Tar? Investigating tarpit feasibility on Internet worms

2023 IEEE Symposium on Security and Privacy (SP) Pub Date : 2023-05-01 DOI:10.1109/SP46215.2023.10179467

H. Griffioen, C. Doerr

{"title":"Could you clean up the Internet with a Pit of Tar? Investigating tarpit feasibility on Internet worms","authors":"H. Griffioen, C. Doerr","doi":"10.1109/SP46215.2023.10179467","DOIUrl":null,"url":null,"abstract":"Botnets often spread through massive Internet-wide scanning, identifying and infecting vulnerable Internet-facing devices to grow their network. Taking down these networks is often hard for law enforcement, and some people have proposed tarpits as a defensive method because it does not require seizing infrastructure or rely on device owners to make sure their devices are well-configured and protected. These tarpits are network services that aim to keep a malware-infected device busy and slow down or eradicate the malicious behavior.This paper identifies a network-based tarpit vulnerability in stateless-scanning malware and develops a tarpitting exploit. We apply this technique against malware based on the Mirai scanning routine to identify whether tarpitting at scale is effective in containing the spread of self-propagating malware. We demonstrate that we can effectively trap thousands of devices even in a single tarpit and that this significantly slows down botnet spreading across the Internet and provide a framework to simulate malware spreading under various network conditions to apriori evaluate the effect of tarpits on a particular malware. We show that the self-propagating malware could be contained with the help of a few thousand tarpits without any measurable adverse impact on compromised routers or Internet Service Providers, and we release our tarpitting solution as an open platform to the community to realize this.","PeriodicalId":439989,"journal":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","volume":"63 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP46215.2023.10179467","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Botnets often spread through massive Internet-wide scanning, identifying and infecting vulnerable Internet-facing devices to grow their network. Taking down these networks is often hard for law enforcement, and some people have proposed tarpits as a defensive method because it does not require seizing infrastructure or rely on device owners to make sure their devices are well-configured and protected. These tarpits are network services that aim to keep a malware-infected device busy and slow down or eradicate the malicious behavior.This paper identifies a network-based tarpit vulnerability in stateless-scanning malware and develops a tarpitting exploit. We apply this technique against malware based on the Mirai scanning routine to identify whether tarpitting at scale is effective in containing the spread of self-propagating malware. We demonstrate that we can effectively trap thousands of devices even in a single tarpit and that this significantly slows down botnet spreading across the Internet and provide a framework to simulate malware spreading under various network conditions to apriori evaluate the effect of tarpits on a particular malware. We show that the self-propagating malware could be contained with the help of a few thousand tarpits without any measurable adverse impact on compromised routers or Internet Service Providers, and we release our tarpitting solution as an open platform to the community to realize this.

查看原文本刊更多论文

你能用沥青坑清理互联网吗?探讨网络蠕虫攻击的可行性

僵尸网络通常通过大规模的互联网扫描来传播，识别和感染易受攻击的面向互联网的设备，以扩大其网络。对于执法部门来说，关闭这些网络通常很困难，有些人建议将网络拦截作为一种防御方法，因为它不需要占用基础设施，也不依赖于设备所有者确保他们的设备配置良好并受到保护。这些tarpit是一种网络服务，旨在使受恶意软件感染的设备保持繁忙状态，并减缓或根除恶意行为。本文在无状态扫描恶意软件中发现了一个基于网络的攻击漏洞，并开发了一个攻击漏洞。我们将此技术应用于基于Mirai扫描例程的恶意软件，以确定大规模攻击是否有效地遏制了自传播恶意软件的传播。我们证明，即使在单个tarpit中，我们也可以有效地捕获数千台设备，这大大减缓了僵尸网络在互联网上的传播，并提供了一个框架来模拟恶意软件在各种网络条件下的传播，以先验地评估tarpit对特定恶意软件的影响。我们表明，自我传播的恶意软件可以在几千个tarpit的帮助下被遏制，而不会对受损的路由器或互联网服务提供商产生任何可测量的不利影响，并且我们将我们的tarpit解决方案作为一个开放平台发布给社区来实现这一点。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量