The Amplification Threat Posed by Publicly Reachable BACnet Devices

Authors

  • Oliver Gasser Technical University of Munich, Germany
  • Quirin Scheitle Technical University of Munich, Germany
  • Benedikt Rudolph DE-CIX, Germany
  • Carl Denis Technical University of Munich, Germany
  • Nadja Schricker Technical University of Munich, Germany
  • Georg Carle Technical University of Munich, Germany

DOI:

https://doi.org/10.13052/2245-1439.614

Keywords:

BACnet, building automation, network scan, amplification attack, notification

Abstract

In a connected world Internet security is becoming increasingly important. Attacks, which are frequently executed by botnets, can impact people in their everyday life. A ubiquitous kind of attack is the amplification attack, a special type of Denial-of-Service attack. Several protocols such as DNS, NTP, and SNMP are known to be vulnerable to amplification attacks when security practices are not followed. In this work we evaluate the vulnerability of BACnet, a building automation and control protocol, to amplification attacks. To assess BACnet’s vulnerability we conduct active traffic measurements on an Internet-wide scale. We find 16 485 BACnet devices, the largest number to date. Additionally, more than 14 k of these devices can be misused as amplifiers, with some generating amplification factors up to 120. To remediate this potential threat we employ a vulnerability notification campaign in close coordination with a CERT. We assess the success of the campaign and find that the number of publicly reachable BACnet devices decreased only slightly. Additionally, we employ passive measurements to attribute the majority of BACnet traffic in the wild to scanning projects. Finally, we also give suggestions to thwart the amplification attack potential of BACnet.

 

Downloads

Download data is not yet available.

Author Biographies

Oliver Gasser, Technical University of Munich, Germany

Oliver Gasser is a scientific researcher at the Chair of Network Architectures and Services at the Technical University of Munich (TUM), Germany.

He is co-leading the Global Internet Observatory project which aims to better understand the Internet and its security by conducting Internet-wide measurements.

Oliver’s research interests are empirical analysis of network security protocols such as TLS and SSH, amplification attack detection and mitigation, and more recently network scans in the IPv6 Internet.

Oliver received his M.Sc. from TUM in 2013 and is currently a PhD candidate at TUM.

Quirin Scheitle, Technical University of Munich, Germany

Quirin Scheitle is a scientific researcher at the Chair of Network Architectures and Services at the Technical University of Munich (TUM), Germany.

He is co-leading the Global Internet Observatory project which aims to better understand the Internet and its security by conducting Internet-wide measurements.

Quirin’s research interests include empirical analysis of Internet services and architectures under a security lense.

Quirin received his M.Sc. from TUM in 2012 and is currently a PhD candidate at TUM.

Benedikt Rudolph, DE-CIX, Germany

Benedikt Rudolph is a researcher at DE-CIX since 2016. He participates in several research projects, e.g., funded by the German Federal Ministry of Education and Research (BMBF). He actively contributes to the Internet, networking, and IXP community (e.g., RIPE, EURO-IX, DENOG).

Before joining DE-CIX he gained first practical experience as a student research assistant at Technische Universität Darmstadt, Germany, where he also received his M.Sc. in computer science with a focus on IT security.

His research interests are Internet measurements and networking technology.

Carl Denis, Technical University of Munich, Germany

Carl Denis majored in computer science with a focus on IT-security at Technical University of Munich (TUM) where he is a guest researcher.

He also pursues a doctorate at Universität der Bundeswehr and works in incident response and vulnerability handling at Siemens ProductCERT.

In his spare time he is concerned with secure and automated infrastructures.

Nadja Schricker, Technical University of Munich, Germany

Nadja Schricker is currently studying Computer Science at the Technical University of Munich.

She recently finished her Bachelor’s Thesis on the topic “Active Security Evaluation with Network Scans”.

 

Georg Carle, Technical University of Munich, Germany

Georg Carle is professor at the Department of Informatics of the Technical University of Munich, holding the Chair of Network Architectures and Services.

He studied at University of Stuttgart, Brunel University, London, and Ecole Nationale Superieure des Telecommunications, Paris.

He did his PhD in Computer Science at University of Karlsruhe, and worked as postdoctoral scientist at Institut Eurecom, Sophia Antipolis, France, at the Fraunhofer Institute for Open Communication Systems, Berlin, and as professor at University of Tübingen.

References

IP2Location Geolocation DB. https://ip2location.com, August 2016.

ASHRAE. BACnet – A Data Communication Protocol for Building Automation and Control Systems, 1995.

ASHRAE. BACnet – A Data Communication Protocol for Building Automation and Control Systems Addendum 135-2012aj, 2016.

Timm Böttger, Lothar Braun, Oliver Gasser, Felix von Eye, Helmut Reiser, and Georg Carle. DoS Amplification Attacks – Protocol-Agnostic Detection of Service Abuse in Amplifier Networks. In TMA’15.

CAIDA. Routeviews Prefix to AS mapping. www.caida.org/data/ routing/routeviews-prefix2as.xml.

Nikolaos Chatzis, Georgios Smaragdakis, Jan Böttger, Thomas Krenc, and Anja Feldmann. On the Benefits of Using a Large IXP as an Internet Vantage Point. In ACM Internet Measurement Conference, pages 333–346. ACM, 2013.

Common Vulnerabilities and Exposures. CVE-2003-0931, 11/2003.

David Dittrich, Erin Kenneally, The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. US Department of Homeland Security, 2012.

Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. A Search Engine Backed by Internet-wide Scanning. In SIGSAC’15.

Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security’13.

Xuan Feng, Qiang Li, Haining Wang, and Limin Sun. Characterizing Industrial Control System Devices on the Internet. In ICNP’16.

Oliver Gasser. bacnet.py: BACnet python module to parse BACnet response packets. https://github.com/tumi8/bacnet.py, November 2016.

Oliver Gasser, Quirin Scheitle, Sebastian Gebhard, and Georg Carle. Scanning the IPv6 Internet: Towards a Comprehensive Hitlist. In TMA’16.

IANA. IPv4 Special-Purpose Address Registry. http://www.iana. org/assignments/iana-ipv4-special-registry/ iana-ipv4- special-registry.xhtml.

Lukas Krämer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, and Christian Rossow. AmpPot: Monitoring and Defending Against Amplification DDoS Attacks. In RAID’15.

Brian Krebs. Hacked Cameras, DVRs Powered Today’s Massive Internet Outage. https://krebsonsecurity.com/2016/10/ hacked-ca meras-dvrs-powered-todays-massive-internet-outage/, October 2016.

Brian Krebs. KrebsOnSecurity Hit With Record DDoS. http:// krebsonsecurity.com/2016/09/krebsonsecurity-hit-with- record-ddos/, September 2016.

Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications. In USENIX Security’16.

Ariana Mirian, Zane Ma, David Adrian, Matthew Tischer, Thasphon Chuenchujit, Tim Yardley, Robin Berthier, Joshua Mason, Zakir Durumeric, J Alex Halderman, An Internet-Wide View of ICS Devices. In PST’16.

H. Michael Newman. BACnet: The Global Standard for Building Automation and Control Networks. Momentum Press, 2013.

Craig Partridge and Mark Allman. Ethical Considerations in Network Measurement Papers. Communications of the ACM, 2016.

Ingmar Poese, Steve Uhlig, Mohamed Ali Kaafar, Benoit Donnet, and Bamba Gueye. IP Geolocation Databases: Unreliable? ACM SIGCOMM CCR’11.

Matthew Prince. The DDoS That Almost Broke the Internet. https: //blog.cloudflare.com/the-ddos-that-almost-broke- the-internet/, March 2013.

Rapid7 Labs. Project Sonar. https://sonar.labs.rapid7.com/.

Christian Rossow. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In NDSS’14.

Matthew Sargent, John Kristoff, Vern Paxson, and Mark Allman. On the Potential Abuse of IGMP. ACM SIGCOMM CCR’17.

Shodan. Map of Industrial Control Systems on the Internet. https: //icsmap.shodan.io/.

WIDE Project. MAWI Working Group Traffic Archive. http://mawi. wide.ad.jp/mawi/ (last retrieved on 2017-09-02).

Downloads

Published

2017-11-19

Issue

Section

Articles