A Method to Secure IoT Devices Against Botnet Attacks

摘要

An unsecured or weak authentication system between an IoT device and a user provides opportunities to attackers to manipulate and use the IoT device as botnet. The proliferation of IoT devices with an unsecured/weak authentication mechanism has increased the threat of using a huge number of IoT devices as botnets for large-scale DDoS attacks. Default credential pairs (like 'root-root' or 'admin-admin') for the Telnet or SSH connections are still part of a large group of IoT products, and many malwares have exploited this vulnerability to capture a large number of IoT devices and use them as botnets. In the recent past, Mirai malware had infected roughly a million IoT devices at its peak by brute-forcing just 62 pairs of default credentials. In this paper, we present a concept called 'login puzzle' to prevent capture of IoT devices in a large scale. Login puzzle is a variant of client puzzle, which presents a puzzle to the remote device during the login process to prevent unrestricted log-in attempts. Login puzzle is a set of multiple mini puzzles with a variable complexity, which the remote device is required to solve before logging into any IoT device. Every unsuccessful log-in attempt increases the complexity of solving the login puzzle for the next attempt. In this paper, we have introduced a novel mechanism to change the complexity of puzzle after every unsuccessful login attempt. If each IoT device had used login puzzle, Mirai attack would have required almost two months to acquire devices, while it acquired them in 20 h.