Abstract

The adoption of the IoT by modern sociotechnical systems in synergy with the rapid deployment of insecure IoT devices and services has transformed the cyber-threat landscape. Thus, the vast majority of cyberattacks are underpinned by the orchestration of compromised IoT devices that are globally distributed and controlled through carefully designed IoT botnets. Contrary to conventional belief, cybersecurity vectors instrumented by such botnets are not always uniformly distributed across Internet Autonomous Systems (ASes). By virtue of network structural characteristics imposed by each individual Autonomous System (AS) as well as the diversity in terms of AS-level cybersecurity policies, the spatiotemporal manifestation of IoT botnets differs. In this work, we provide a novel measurement study that empirically quantifies AS tolerance of IoT botnet propagation in the global IPv4 Internet. We assess and correlate measurements gathered by globally distributed honeypots, Internet regional registries and IP blacklists for a 15-month period and observe more than 3.2M malicious events triggered by IoT botnets spanning 9.5K ASes. Our work demonstrates that ASes connected to a low number of providers are prone to embrace a high portion of malicious activities. Hence, we provide evidence on concentrated botnet activities and determine the effectiveness of widely used IP blacklists. In general, this study contributes towards empowering knowledge on large-scale cyber-attacks as being crucial for the composition of next generation data-driven cybersecurity defence applications.