Remotely Triggered Black Hole (RTBH) is a common DDoS mitigation approach that has been in use for the last two decades. Usually, it is implemented close to the attack victim in networks sharing some type of physical connectivity. The Unwanted Traffic Removal Service (UTRS) project offers a free, global, and relatively low-effort-to-join and operate RTBH alternative by removing the requirement of physical connectivity. Given these unique value propositions of UTRS, this paper aims to understand to what extent UTRS is adopted and used to mitigate DDoS attacks. To reach this goal, we collected two DDoS datasets describing amplification and Internet-of-Things-botnet-driven attacks and correlated them with the information from the third dataset containing blackholing requests propagated to the members of UTRS. Our findings suggest that, currently, just a small portion of UTRS members (approximately 10 % ) trigger mitigation attempts: out of 1200+ UTRS members, only 124 triggered blackholing events during our study. Among those, with high probability, 25 Autonomous Systems (ASes) reacted on AmpPot attacks mitigating 0.025 % of them globally or 1.03 % targeting UTRS members; 2 countered IoT-botnet-driven attacks alleviating 0.001 % of them globally or 0.06 % targeting UTRS members. This suggests that UTRS can be a useful tool in mitigating DDoS attacks, but it is not widely used. ... Read more

In recent years the number of Internet-connected devices (aka as Internet of Things (IoT)) has increased dramatically. IoT Manufacturers have launched into the market a variety of IoT products to make a profit, while users buy them for the convenience of the technology. Despite IoT technology’s benefits to society, infected IoT devices with malicious software (malware) are a serious security concern. For instance, in 2016, we witnessed one of the largest Distributed Denial of Service (DDoS) attacks facilitated by IoT devices. This attack disrupted major well-known websites, including Twitter, Spotify, Github, and others. Infected IoT devices cause negative externalities. A negative externality is the cost that third parties, who are neither the seller nor the buyer of IoT devices, must incur to protect themselves against DDoS attacks. In the traditional personal computer world, compromised machines can be remedied with self-service solutions like antivirus. However, there is a lack of such tools to help users remove malicious software once it has taken hold for the wide variety of IoT devices. This, in turn, creates usability issues for users in the IoT space. To remediate infected IoT devices, users may need to take different actions. These actions depend on the device type, its manufacturer, patches or software updates available, and available settings of the device. Some Internet Service Providers (ISPs) (referred interchangeably as intermediaries in this dissertation) have undertaken the task of notifying users about infected IoT devices in their home network. These types of notifications can aid the threat detection mechanisms of infected IoT devices for users. Considering that the IoT technology has certain limitations, and users will have to deal with infected IoT devices, and the aforementioned actors are involved, we set ourselves to answer the following research question: How can users mitigate infected IoT devices? And what role can manufacturers and intermediaries play in supporting them? To answer this question in short users require information and actionable advice to take appropriate actions. Manufacturers need to improve security practices, such as removing default credentials from the setup process of IoT devices. ISPs can facilitate threat detection through notifications and DNS-based prevention. The results of this dissertation, suggest that governments should incentivize intermediaries and manufacturers to address this issues, and collaboration among stakeholders is essential since users alone cannot mitigate infected IoT devices even though they are motivated. ... Read more

Internet Service Providers (ISPs) are getting involved in remediating Internet of Things (IoT) infections of end users. This endeavor runs into serious usability problems. Given that it is usually unknown what kind of device is infected, they can only provide users with very generic cleanup advice, trying to cover all device types and remediation paths. Does this advice work? To what extent do users comply with the instructions? And does more compliance lead to higher cleanup rates? This study is the first to shed light on these questions. In partnership with an ISP, we designed a randomized control experiment followed up by a user survey. We randomly assigned 177 consumers affected by malware from the Mirai family to three different groups: (i) notified via a walled garden (quarantine network), (ii) notified via email, and (iii) no immediate notification, i.e. a control group. The notification asks the user to take five steps to remediate the infection. We conducted a phone survey with 95 of these customers based on communication-human information processing theory. We model the impact of the treatment, comprehension, and motivation on the compliance rate of each customer, while controlling for differences in demographics and infected device types. We also estimate the extent to which compliance leads to successful cleanup of the infected IoT devices. While only 24% of notified users perform all five remediation steps, 92% of notified users perform at least one action. Compliance increases the probability of successful cleanup by 32%, while the presence of competing malware reduces it by 54%. We provide an empirical basis to shape ISP best practices in the fight against IoT malware. ... Read more

For the mitigation of compromised Internet of Things (IoT) devices we rely on Internet Service Providers (ISPs) and their users. Given that devices are in the hands of their subscribers, what can ISPs realistically do? This study examines the effects of ISP countermeasures on infections caused by variants of the notorious Mirai family of IoT malware, still among the dominant families. We collect and analyze more than 4 years of longitudinal darknet data tracking Mirai-like infections in conjunction with threat intelligence data on various other IoT and non-IoT botnets across the globe from January 2016 to May 2020. We measure the effect of two ISP countermeasures on Mirai variant infection numbers: (i) reducing the attack surface (i.e., closing ports that are used by the malware for propagation) and (ii) ISPs increasing their general network hygiene and malware removal efforts (as observed by proxy of the remediation of infections of other families of IoT and non-IoT malware and reductions in the number of DDoS amplifiers in their networks). We map our infection data to 342 broadband providers that have the bulk of the broadband market share in their respective 83 countries. We find that the number of infections correlates strongly with the number of ISP subscribers (R2=0.55$). Yet, infection numbers can still vary by three orders of magnitude even for ISPs with comparable subscriber numbers. We observe that many ISPs, together with their subscribers, have reduced their attack surface for IoT compromise by blocking traffic to commonly-exploited infection vectors such as Telnet and FTP. We statistically estimate the impact of these reductions on infection levels and, counter-intuitively, find no significant impact. In contrast, we do find a significant impact for improving general network hygiene and best malware mitigation practices. ISPs that were more successful in reducing DDoS amplifiers and non-Mirai malware infections in their networks also end up with significantly lower Mirai infection rates. In other words, rather than investing in IoT-specific countermeasures like reducing the attack surface, our findings suggest that ISPs might be better off investing in general security efforts to improve network hygiene and clean up abuse. ... Read more

Many consumer Internet-of-Things (IoT) devices are, and will remain, subject to compromise, often without the owner's knowledge. Internet Service Providers (ISPs) are among the actors best-placed to coordinate the remediation of these problems. They receive infection data and can notify customers of recommended remediation actions. There is insufficient understanding of what happens in peoples' homes and businesses during attempts to remediate infected IoT devices. We coordinate with an ISP and conduct remote think-aloud observations with 17 customers who have an infected device, capturing their initial efforts to follow best-practice remediation steps. We identify real, personal consequences from wide-scale interventions which lack situated guidance for applying advice. Combining observations and thematic analysis, we synthesize the personal stories of the successes and struggles of these customers. Most participants think they were able to pinpoint the infected device; however, there were common issues such as not knowing how to comply with the recommended actions, remediations regarded as requiring excessive effort, a lack of feedback on success, and a perceived lack of support from device manufacturers. Only 4 of 17 participants were able to successfully complete all remediation steps. We provide recommendations relevant to various stakeholders, to focus where emergent interventions can be improved. ... Read more