Detecting Cryptojacking in Carrier Scale Networks
Cryptojacking is running unwanted applications on endpoints and infrastructure, specifically crypto currency mining software, and it’s hard to detect. The cypto miner is stealing processing capability; Impacts are higher electricity (power and cooling) consumption, slower performance of legitimate applications or services. And high CPU run rates generate more heat and reduce lifetime.
Cryptocurrencies are mined using complex mathematical calculations and require high processing power. An effective way to implement this is across a distributed network of nodes that perform individual calculations. One zero cost way to build such a network of nodes is to inject unauthorised mining software onto unprotected devices (phone, IOT device, laptop, tablet, anything with processing capability and an IP address), through an infected web url, email malware, deliberate insider installation or any hijacking technique. The node will then perform the calculations for free.
Infected nodes need to communicate data, such as results of hash functions to other nodes and results to a control server or wallet. The actual messages are usually very short, and can be disguised as regular network traffic making detection at the endpoint complex.
That means that the best way to detect cryptojacking is to monitor the network for suspicious activity, where a number of devices or nodes are likely to be exhibiting the same anomalous behaviour. Even though usually obfuscated, there can be patterns, such as packet size, port or period between communication sessions, or a pattern of uploading slightly more data than was downloaded.
Using Telesoft unsampled multi 100Gbps carrier scale flow monitoring, collection and analysis system (“TDAC”), the NetOps team within the NSP can discover anomalous traffic patterns which indicate cryptojacking activity. This allows corrective action to be taken to block unauthorised crypto traffic flowing through the network.