Mirai Botnet

From SI410
Jump to: navigation, search

The Mirai botnet is a network of Internet of Things (IoT) devices infected with Mirai malware, used for massive distributed denial of service (DDoS) attacks. The Mirai malware was discovered in August 2016 by MalwareMustDie[1], and it’s first major attack was on computer security expert Brian Krebs’s personal website [2]. The botnet gained mainstream notoriety after performing the largest DDoS attack in history against DNS provider Dyn in October 2016 [3]. The Mirai Botnet is now being rented on dark web for performing DDoS attacks for high paying clients [4]

Notable Attacks

Krebs Attack

Depiction of all DDoS attacks against KrebsOnSecurity, from KrebsOnSecurity

The September 20th attack on computer security blogger Brian Krebs's website, KrebsOnSecurity.com, was the first major attack of the Mirai Botnet. The attack was estimated to have been around 620 gbps, which was approximately twice as large than any prior DDoS attack on record. Content Distribution Network provider Akamai thwarted the attack, and released a special State of the Internet report following it.

Dyn Attack

Visual representation of Dyn attack provided by DownDetector

On October 21st, the Mirai botnet performed one of the most disruptive DDoS attacks in Internet history. The attack took down Domain Name Service (DNS) provider Dyn, a major backbone for many websites. DNS is a service that translates human readable URLs to IP addresses. When Dyn went down, many sites including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were rendered unreachable for most users. Estimates report that up to 100,000 IoT devices were used to power the attack which attained a throughput of up to 1.2 TBPS. [5]

Technical Notes

How Mirai Works

Mirai scans the internet for Internet of Things (IoT) devices that run on the ARC processor. This processor runs a stripped-down version of the Linux operating system. Consequently, if the default username and password combination is not changed, Mirai is able to log into the device and infect it. IoT consists of smart devices that can connect to the internet. These devices include baby monitors, vehicles, network routers, agricultural devices, medical devices, environmental monitoring devices, and home appliances. [6]

Distributed denial-of-service (DDoS) attacks

Diagram of DDoS attack from Cisco

A denial-of-service (DoS) attack is an attack that sends excessive amounts of requests from a device on the Internet to flood a victim network with traffic. The intent of a DoS attack is to create enough congestion to render a service or website unusable. A distributed denial-of-service (DDoS) attack uses a collection of devices on the Internet to flood the victim with traffic from many devices. The collection of devices used in a DDoS attack are often referred to as a botnet, and are often exploited without their owners' consent.[7]

Mirai Malware

Mirai malware targets poorly secured IoT devices by brute-forcing into them with a list of common usernames and passwords. Mirai then infects the device with software which gives control of the its network resources to a central server. Devices will remain infected until they are rebooted. Mirai’s inventor claims that the botnet uses upwards of 380,000 devices in an attack at a rate of 620 Gbps [8]. Interestingly, Mirai has a list of hardcoded IP addresses in the source code to avoid attacking. The list includes Hewlett-Packard, General Electric, and the US Postal Service [9]. The source code of Mirai is leaked on GitHub [10]

Implications on IoT

The Internet of Things refers to the collection of everyday objects with embedded Internet connections. Examples of IoT devices include 'smart objects' like smart tvs, smart refrigerators, etc. as well as Internet beacons and personal assistants. The IoT industry has been criticized by security professionals for having poor security practices and the immense power achieved by the Mirai botnet has exacerbated to this concern. Security professionals also speculate that the attacker who created Mirai is an amateur and not a professional hacker[11].

Mirai For Rent

Since the major attacks in 2016, a market has developed for the Mirai botnet. Hackers are currently renting botnets infected with Mirai on the black market. It is estimated that around 400,000 bots are available for rent, however, customers may choose to rent fractions of the botnet for reduced cost. $4,600 will purchase the usage of 50,000 bots while $7,500 will purchase 100,000. The seller claims it can reach a bandwidth of up to 1 tbps [12].

The Creators of Mirai

Paras Jha and Josiah White co-founded Protraf Solutions, a company offering mitigation services for Distributed Denial of Service (DDoS) attacks. Protraf Solutions was accused of racketeering – their business offered DDoS mitigation services to the very organizations their malware attacked. [13]

Ethical Implcations


Many believe that responsibility of the Mirai attacks fall on the manufacturers of the Internet of Things devices vulnerable to the attack. Even before the Mirai attacks, security experts have criticized Internet of Things devices for their poor security practices. In 2015, security firm Symantec issued a 20-page report named “Insecurity in the Internet of Things” highlighting many common vulnerabilities of IoT devices [14]. Despite many computer security professionals voicing their concerns, there was little response from IoT manufacturers in improving their security practices. Critics argue that these manufacturers were negligent in adhering to very basic security practices, and are ultimately at fault for allowing the Mirai Botnet to be created [15].


  1. @unixfreaxjp · (August 31, 2016) · MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled · work · Malware Must Die! · Retrieved on April 17, 2017
  2. John E Dunn · (September 26, 2016) · Krebs DDoS aftermath: industry in shock at size, depth and complexity of attack · work · ComputerWorldUK · Retrieved on April 17, 2017
  3. Allison Nixon, John Costello, Zach Wikholm I · (October 25, 2016) · An After-Action Analysis of the Mirai Botnet Attacks on Dyn · work · Flashpoint · Retrieved on April 17, 2017
  4. Chris Bing · (October 27, 2016) · You can now buy a Mirai-powered botnet on the dark web · work · Cyberscoop · Retrieved on April 17, 2017
  5. Scott Hilton · (October 26, 2016) · Dyn Analysis Summary Of Friday October 21 Attack · work · Oracle + Dyn · Retrieved on April 17, 2017
  6. What is the Mirai Botnet? (n.d.). Retrieved from https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
  7. United States Computer Emergency Readiness Team (US-CERT) · (November 04, 2009, Last Revised: February 06, 2013) · Security Tip (ST04-015) - Understanding Denial-of-Service Attacks · work · US-CERT · Retrieved on April 17, 2017
  8. Brian Krebs · (October 16, 2016) · Source Code for IoT Botnet 'Mirai' Released · work · KrebsonSecurity · Retrieved on April 17, 2017
  9. Ben Herzberg, Dima Bekerman, Igal Zeifman · (October 26, 2016) · Breaking Down Mirai: An IoT DDoS Botnet Analysis · work · Imperva Incapsula · Retrieved on April 17, 2017
  10. https://github.com/jgamblin/Mirai-Source-Code/tree/master/mirai
  11. Andrea Peterson · (October 26, 2016) · Amateur hackers probably caused Friday's Internet meltdown, researchers say · work · The Washington Post · Retrieved on April 17, 2017
  12. Lee Mathews · (November 29, 2016) · World's Biggest Mirai Botnet Is Being Rented Out For DDoS Attacks · work · Forbes · Retrieved on April 17, 2017
  13. What is the Mirai Botnet? (n.d.). Retrieved from https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
  14. https://www.symantec.com/content/dam/symantec/docs/white-papers/insecurity-in-the-internet-of-things-en.pdf
  15. https://www.fastcompany.com/3064904/after-years-of-warnings-internet-of-things-devices-to-blame-for-big-internet-attack