IETF Logo Mail Archive

[Mud] cleaning up evil things

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 19 October 2019 14:21 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5D2B12004A for <mud@ietfa.amsl.com>; Sat, 19 Oct 2019 07:21:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mYkmbBRigy4i for <mud@ietfa.amsl.com>; Sat, 19 Oct 2019 07:21:14 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59C1712002F for <mud@ietf.org>; Sat, 19 Oct 2019 07:21:14 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 9E14E3897A for <mud@ietf.org>; Sat, 19 Oct 2019 10:18:44 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A437CB43 for <mud@ietf.org>; Sat, 19 Oct 2019 10:21:12 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: mud@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sat, 19 Oct 2019 10:21:12 -0400
Message-ID: <29307.1571494872@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/wTi7SHNFtnX8-Kifvnu8Jcwy7xY>
Subject: [Mud] cleaning up evil things
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Oct 2019 14:21:17 -0000

On Thursday, I was pointed at this paper:
  https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_02B-2_Cetin_paper.pdf

I attach the abstract below.  I think that this is particularly relevant to
the discussion of what to do when devices go bad.  Quarantine/walled garden
is the way to go was my take home, much more effective than emails.
That any emails must be well-written emails and specific.

Also that many small business use consumer/retail connections, but maybe
would be willing to invest in pro-sumer equiment if it will keep them online.

(I still feel that describing Mirai as an IoT botnet, as opposed to a home
router/PVR botnet is wrong, the world does not agree with me)



----


Abstract—With the rise of IoT botnets, the remediation of
infected devices has become a critical task. As over 87% of
these devices reside in broadband networks, this task will fall
primarily to consumers and the Internet Service Providers. We
present the first empirical study of IoT malware cleanup in the
wild – more specifically, of removing Mirai infections in the
network of a medium-sized ISP. To measure remediation rates,
we combine data from an observational study and a randomized
controlled trial involving 220 consumers who suffered a Mirai
infection together with data from honeypots and darknets. We
find that quarantining and notifying infected customers via a
walled garden, a best practice from ISP botnet mitigation for
conventional malware, remediates 92% of the infections within
14 days. Email-only notifications have no observable impact
compared to a control group where no notifications were sent. We
also measure surprisingly high natural remediation rates of 58-
74% for this control group and for two reference networks where
users were also not notified. Even more surprising, reinfection
rates are low. Only 5% of the customers who remediated suffered
another infection in the five months after our first study. This
stands in contrast to our lab tests, which observed reinfection
of real IoT devices within minutes – a discrepancy for which
we explore various different possible explanations, but find no
satisfactory answer. We gather data on customer experiences
and actions via 76 phone interviews and the communications
logs of the ISP. Remediation succeeds even though many users
are operating from the wrong mental model – e.g., they run antivirus software on their PC to solve the infection of an IoT device.
While quarantining infected devices is clearly highly effective,
future work will have to resolve several remaining mysteries.
Furthermore, it will be hard to scale up the walled garden solution
`because of the weak incentives of the ISPs.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email