TY - JOUR
T1 - The amplification threat posed by publicly reachable BACnet devices
AU - Gasser, Oliver
AU - Scheitle, Quirin
AU - Rudolph, Benedikt
AU - Denis, Carl
AU - Schricker, Nadja
AU - Carle, Georg
N1 - Publisher Copyright:
© 2017 the Author(s).
PY - 2017/1/1
Y1 - 2017/1/1
N2 - In a connected world Internet security is becoming increasingly important. Attacks, which are frequently executed by botnets, can impact people in their everyday life. A ubiquitous kind of attack is the amplification attack, a special type of Denial-of-Service attack. Several protocols such as DNS, NTP, and SNMP are known to be vulnerable to amplification attacks when security practices are not followed. In this work we evaluate the vulnerability of BACnet, a building automation and control protocol, to amplification attacks. To assess BACnet's vulnerability we conduct active traffic measurements on an Internet-wide scale. We find 16 485 BACnet devices, the largest number to date. Additionally, more than 14 k of these devices can be misused as amplifiers, with some generating amplification factors up to 120. To remediate this potential threat we employ a vulnerability notification campaign in close coordination with a CERT. We assess the success of the campaign and find that the number of publicly reachable BACnet devices decreased only slightly. Additionally, we employ passive measurements to attribute the majority of BACnet traffic in the wild to scanning projects. Finally, we also give suggestions to thwart the amplification attack potential of BACnet.
AB - In a connected world Internet security is becoming increasingly important. Attacks, which are frequently executed by botnets, can impact people in their everyday life. A ubiquitous kind of attack is the amplification attack, a special type of Denial-of-Service attack. Several protocols such as DNS, NTP, and SNMP are known to be vulnerable to amplification attacks when security practices are not followed. In this work we evaluate the vulnerability of BACnet, a building automation and control protocol, to amplification attacks. To assess BACnet's vulnerability we conduct active traffic measurements on an Internet-wide scale. We find 16 485 BACnet devices, the largest number to date. Additionally, more than 14 k of these devices can be misused as amplifiers, with some generating amplification factors up to 120. To remediate this potential threat we employ a vulnerability notification campaign in close coordination with a CERT. We assess the success of the campaign and find that the number of publicly reachable BACnet devices decreased only slightly. Additionally, we employ passive measurements to attribute the majority of BACnet traffic in the wild to scanning projects. Finally, we also give suggestions to thwart the amplification attack potential of BACnet.
KW - Amplification attack
KW - BACnet
KW - Building automation
KW - Network scan
KW - Notification
UR - http://www.scopus.com/inward/record.url?scp=85032750414&partnerID=8YFLogxK
U2 - 10.13052/jcsm2245-1439.614
DO - 10.13052/jcsm2245-1439.614
M3 - Article
AN - SCOPUS:85032750414
SN - 2245-1439
VL - 6
SP - 77
EP - 104
JO - Journal of Cyber Security and Mobility
JF - Journal of Cyber Security and Mobility
IS - 1
ER -