Macroscopic Insights of IoT Botnet Dynamics via AS-level Tolerance Assessment

The ubiquitous integration of the IoT in current sociotechnical systems alongside the manufacturing of IoT devices and IoT-enabled services equipped with minimal security, has profoundly altered the cyber-threat landscape. Consequently, the overwhelming majority of cyberattacks utilise compromised IoT devices as a vessel for initiating large scale volumetric (e.g., DDoS) or stealthy Advanced Persistent Threats (APTs) such as ransomware through well orchestrated IoT botnets. Due to the constantly evolving nature of these botnets and their diverse structural characteristics, tracking their activities poses considerable challenges since malicious actors and botnet owners often adopt new strategies to evade detection and expand their botnet network. Evidently, Autonomous Systems (ASes) and their implied organisational and regulatory properties play a crucial role in botnet propagation. In this paper, we present a novel and extensive macroscopic measurement study quantifying ASlevel tolerance in the context of IoT botnet behavioral dynamics across the global IPv4 address space. In order to verify and justify our hypotheses in terms of AS-level tolerance we conduct a longitudinal analysis over 3.8M malicious events triggered by IoT botnets across over 8K ASes using measurements gathered through globally distributed honeypots, IP blacklists and Internet regional registries for a three year period. We argue that the findings in the herein work can greatly benefit a range of stakeholders designing, operating, and managing current defense mechanisms as well as contributing significantly towards the evolution of next generation cyber defense mechanisms.