Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. With our IP-based algorithm, we report detections from a university campus over 4 months and from traffic transiting an IXP over 10 days. We apply our DNS-based algorithm to traffic from 8 root DNS servers from 2013 to 2018 to study AS-level IoT deployment. We find substantial growth (about 3.5×) in AS penetration for 23 types of IoT devices and modest increase in device type density for ASes detected with these device types (at most 2 device types in 80% of these ASes in 2018). DNS also shows substantial growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.

中文翻译：

---

检测互联网中的物联网设备


从受感染的物联网 (IoT) 设备发起的分布式拒绝服务 (DDoS) 攻击表明，互联网对于大规模 DDoS 攻击是多么脆弱。要了解这些攻击的风险，需要了解这些物联网设备：它们在哪里？有多少人？他们有何变化？本文介绍了在互联网上查找 IoT 设备的三种新方法：流量中的服务器 IP 地址、DNS 查询中的服务器名称以及 TLS 证书中的制造商信息。我们的主要方法（IP 地址和 DNS 名称）使用这些设备制造商运行的服务器的知识。我们的第三种方法使用通过主动扫描获得的 TLS 证书。我们已将我们的算法应用于许多观察。借助基于 IP 的算法，我们可以报告 4 个月内大学校园以及 10 天内通过 IXP 的流量的检测结果。我们将基于 DNS 的算法应用于 2013 年至 2018 年来自 8 个根 DNS 服务器的流量，以研究 AS 级物联网部署。我们发现 23 种 IoT 设备的 AS 渗透率大幅增长（约 3.5 倍），并且使用这些设备类型检测到的 AS 的设备类型密度略有增加（2018 年，80% 的 AS 中最多有 2 种设备类型）。 DNS 还显示 2013 年至 2017 年住宅中物联网部署的大幅增长。我们基于证书的算法找到了来自全球 199 个国家/地区的 254k 个 IP 摄像机和网络录像机。