Prevalence of IoT Protocols in Telescope and Honeypot Measurements


  • Lionel Metongnon Universit´e catholique de Louvain, Belgium and Universit´e d’Abomey-Calavi, Bénin
  • Ramin Sadre Universit´e catholique de Louvain, Belgium



Internet measurement, IoT, IoT attacks, IoT protocols


With the arrival of the Internet of Things (IoT), more devices appear online with default credentials or lacking proper security protocols. Consequently, we have seen a rise of powerful DDoS attacks originating from IoT devices in the last years. In most cases the devices were infected by bot malware through the telnet protocol. This has lead to several honeypot studies on telnet-based attacks. However, IoT installations also involve other protocols, for example for Machine-to-Machine communication. Those protocols often provide by default only little security. In this paper, we present a measurement study on attacks against or based on those protocols. To this end, we use data obtained from a /15 network telescope and three honey-pots with 15 IPv4 addresses. We find that telnet-based malware is still widely used and that infected devices are employed not only for DDoS attacks but also for crypto-currency mining. We also see, although at a much lesser frequency, that attackers are looking for IoT-specific services using MQTT, CoAP, UPnP, and HNAP, and that they target vulnerabilities of routers and cameras with HTTP.



Download data is not yet available.

Author Biographies

Lionel Metongnon, Universit´e catholique de Louvain, Belgium and Universit´e d’Abomey-Calavi, Bénin

Lionel Metongnon is a Ph.D. student at ICTEAM institute of Université catholique de Louvain at Belgium, since Spring 2015. He attended the Université d’Abomey-Calavi in Bénin where he received his B.Sc. in Electrical engineering and industrial IT in 2011 and his M.Sc. in Computer Science in 2014. His Ph.D. works focus on network monitoring and distributed Internet-scale intrusion detection for Internet of Things.

Ramin Sadre, Universit´e catholique de Louvain, Belgium

Ramin Sadre has been a professor in the ICTEAM institute of UCLouvain, Belgium, since 2014. Before that, he was an assistant professor at Aalborg University, Denmark, and a post-doctoral researcher at the University of Twente, the Netherlands. His research activities focus on performance evaluation, monitoring of networked systems, and network-based intrusion detection, targeting open Internet-wide distributed applications as well as more closed systems such as IoT and SCADA.


Andrew Banks and Rahul Gupta. Mqtt version 3.1. 1. OASIS standard, 29, 2014.

Elisa Bertino and Nayeem Islam. Botnets and internet of things security. Computer, 50(2):76–79, 2017.

D. Cid. Large cctv botnet leveraged in ddos attacks. https://, 2016. Accessed: 2018-02-11.

L. Constantin. Thousands of hacked cctv devices used in ddos attacks., 2016. Accessed: 2018-02-11.

Alexandre Dulaunoy, Gérard Wagener, Sami Mokaddem, and Cynthia Wagner. An extended analysis of an iot malware from a blackhole network. In TNC17, 2017.

Sam Edwards and Ioannis Profetis. Hajime: Analysis of a decentralized internet worm for iot devices. Rapidity Networks, 16, 2016.

J. Frahim, C. Pignataro, J. Apcar, and M. Morrow. Securing the internet of things: A proposed framework. Accessed: 2017-03-31.

O. Gayer, O. Wilder, and I. Zeifman. Cctv ddos botnet in our own back yard. Accessed: 2018-02-11.

Michael Jeronimo and Jack Weast. Upnp design by example, 2003.

Simon Kenin. Brickerbot mod_plaintext analysis., 2017. Accessed: 2018-03-30.

Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Jeffrey Voas. Ddos in the iot: Mirai and other botnets. Computer, 50(7):80–84, 2017.

Lukas Krämer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, and Christian Rossow. Amppot: Monitoring and defending against amplification ddos attacks. In International Workshop on Recent Advances in Intrusion Detection, pages 615–636. Springer, 2015.

Brian Krebs. Source code for iot botnet mirai released., 2016. Accessed: 2018-02-11.

Lionel Metongnon and Ramin Sadre. Beyond telnet: Prevalence of iot protocols in telescope and honeypot measurements. In Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity, pages 21–26. ACM, 2018.

David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage. Inferring internet denial-of-service activity. ACM Trans. Comput. Syst., 24(2):115–139, May 2006.

Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. Iotpot: analysing the rise of iot compromises. EMU, 9, 2015.

Farooq Shaikh, Elias Bou-Harb, Nataliia Neshenko, Andrea Patrice Wright, and Nasir Ghani. Internet of malicious things: Correlating active and passive measurements for inferring and characterizing internet-scale unsolicited iot devices. IEEE Communications Magazine, March 2018.

Zach Shelby, Klaus Hartke, and Carsten Bormann. Rfc 7252 - the constrained application protocol (coap). 2014.

Cisco Systems. Home network administration protocol (hnap) whitepaper., 2009. Accessed: 2018-03-30.

Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the internet-of-things. In HotNets 2015, 2015.