Based on recent events - specifically the DDoS attack on DynDNS that caused widespread outages of major websites (github, reddit, etc.) for hours. The malware used in this attack is called Mirai and works by hijacking insecure IOT devices (think smart fridges, DVRs, etc.) by remotely logging in using default manufacturer credentials. These hijacked devices seek out other devices to infect, and suddenly you have a botnet of millions of devices with which to do your malicious bidding.
What it does
Kanashi is a system that monitors all outbound traffic from your local network. It inspects each individual packet for malicious destination IPs (using a blacklist), traffic spikes towards unique destination IPs (behavior indicative of port-scanning), and spoofed source IPs. Once detected, Kanashi will block the outbound traffic, send the device owner a text message alerting them of malicious activity, and will log the event in a dashboard - viewable from within our web application.
How we built it
The server was written in golang using the gopacket library for traffic inspection. The server runs on a Raspberry Pi 3, which we tunneled to the internet through a wired connection to a laptop. All events are written to a sqlite3 database - read, in turn, by our web application running off Flask. Events are also sent to the device owner via a Twilio REST call. We also built an Android app that will generate 'malicious' traffic and send it to our server to test behavior.
Challenges we ran into
Configuring the Raspberry Pi and directing it to read network traffic. Understanding how to generate dummy 'malicious' packets and send them to the server. Extracting packet information and preserving information between layers.
What we learned
What's next for Kanashi
Make the packet inspection more intelligent: use ML to train Kanashi and recognize malicious traffic more accurately, though the tagging of "this is malicious" traffic would have to be more lenient in that case. Link up the server to some database of known malicious IPs that is constantly being updated - akin to how antivirus software updates its virus definitions. Ideally, our server should be running on a router.. the Raspberry Pi does all packet retrieval in software, which costs a lot more than if we had the dedicated hardware a router provides.