Understanding the Mirai Botnet

Click to edit
Master subtitle style
TRACKING MIRAI’S SPREAD
 Bootstrapping
• Mirai Scanning began on August 1, 2016 from an IP address belonging to
DataWagon,a U.S.-based bulletproof hosting provider
• This bootstrap scan lasted approximately two hours
• Mirai’s initial 75-minute doubling time
• This modest doubling time is due to
 low bandwidth
 limited computational resources
Tracking Mirai’s Spread
 Geographical
Distribution

• We compare countries that

harbored the most infections
on 09/21/2016 with countries
that hosted the most telnet
devices on 07/19/2016 prior to
Mirai’s onset.

• Mirai infections occurred

disproportionately in South
America and Southeast Asia,
accounting for 50% of
infections.
 Device Composition

• Mirai largely infected regions considered to be low-

quality hosts used for proxies and DDoS
• Devices with too generic passwords that are
traceable to a device vendor and device type
 Device Composition

Target Devices: Manufacturers:

• network-attached • Dahua
storage appliances • Huawei
• home routers • ZTE
• Cisco
• cameras
• ZyXEL
• DVRs • MikroTik
• printers
• TV receivers
 Device Bandwidth

• Half of the Mirai bots that

scanned our network
telescope sent fewer than
10,000 scan packets
• Majority of bots scanned at an
estimated rate below 250
bytes per second
• Mirai was primarily powered
by devices with limited
computational capacity and
was located in regions with
low bandwidth
OWNERSHIP AND EVOLUTION
 Ownership
• In order to identify the structure of Mirai
command and control servers, we turned to
active and passive DNS data,which we used to
cluster C2 IPs and domains based on shared
network infrastructure.

• Seeding DNS expansion with the two IPs and

67 domains that was collected by reverse
engineering Mirai binaries, we identified 33
independent C2 clusters that shared no
infrastructure.

• Varied from a single host to the largest

cluster, which contained 112 C2 domains and
92 IP addresses.

• The lack of shared infrastructure between

these clusters lends credence to the idea that
there are multiple active bot operators during
our study period.
 Evolution

• C2 infrastructure upgraded from

an IP-based C2 to a domain
based C2

• Malware began to delete its

executing binary, as well as
obfuscate its process ID

• Addition of more passwords to

infect additional devices
MIRAI DDOS ATTACKS
 Mirai’s DDoS Attacks

• Conducted tens of thousands of

Distributed Denial of Services (DDoS)
attacks.
• Three main resource exhaustion
techniques employed were:
1. Volumetric
2. TCP State Exhaustion
3. Application Layer Attacks
 Mirai Botnet
Targets

Individuals
93.7%

Subnets
3%

Domain
Names
2.4%
 Mirai Victims
60.00%

50.00%

40.00%
US
30.00% France
U.K
20.00% Other Countries

10.00%

0.00%
Concentration of Merai Victims
HIGH PROFILE ATTACKS
 Krebs on Security

• long history of being targeted by DDoS attacks.

• September 21, 2016 was subject to
an unprecedented 623 Gbps DDoS attack.
• The devices affected were mostly situated in
southeast asia and south America. And the given
cluster 1 was responsible for this attack.
 Dyn

• Is a famous DNS service provider

• suffered from a series of DDoS attacked that
disrupted name resolution for their high profile
clients such as Amazon, Github, Netflix , Paypal ,
Reddit and Twitter
• the Dyn’s attack on October 21, 2016 was not
solely aimed at it, rather the attacker was trying
target all gaming infrastructures
• The attack was carried by cluster 6.
 Lonestar Cell

• Lonestar cell was the third high profile target of

Mirai botnet.
• It’s a large telecom operator in Liberia
• received the largest impact of the attack by the
Mirai Botnet.
• Mirai practically deteriorated Liberia’s over all
internet connectivity
• There were a total of 616 attacks on Lonestar
 Discussion

• Basically the Mirai attack focused on the technical and regulatory

challenges of securing an interface-less IOT.
• In order to protect interface-less IOT from such botnet attacks in the
future, it is important to take the following precautionary
measurements.
Security
Hardening

Automatic
End of Life
Updates

Facilitating
device Notifications
identification
 Security Hardening

• randomize default passwords in order to stop

attacks on the software vulnerabilities in IoT
• IoT security must evolve away from default-open
ports to default-closed
• default networking configurations that limit
remote address access to those devices to local
networks or specific providers
• certifications might help guide
consumers to more secure choices as well as
pressure
manufacturers to produce more secure products.
 Automatic Updates

• Automatic updates provide developers a timely

mechanism to patch bugs and vulnerabilities
• Automatic updates require a modular software
architecture by design to securely overwrite core
modules with rollback capabilities in the event of a
failure.
 Notifications

• Notifications serve as a fallback mechanism to

bring devices back into security compliance or to
clear infections.
• IoT devices could be required to register an email
address with the manufacturer or with a unified,
interoperable monitoring platform that can alert
consumers of serious issues.
 Facilitating device identification

• IoT manufacturers could adopt a uniform

way of identifying model and firmware version to
the network
 End of Life

• end-of-life can leave hundreds of thousands of in-

use IoT devices without support.
• the risk that these devices pose to the Internet
commons will only grow unless taken offline.
 Conclusion

• The Mirai botnet, composed primarily of embedded and IoT

devices, took the Internet by storm in late 2016 when it
overwhelmed several high-profile targets with some of the
largest distributed denial-of-service (DDoS) attacks
on record.
• while IoT devices present many unique security
challenges, Mirai’s emergence was primarily based on the
absence of security best practices in the IoT space
• the IoT domain continues to expand and evolve, we hope
Mirai serves as a call to arms for industrial, academic, and
government stakeholders concerned about the security,
privacy, and safety of an IoT-enabled world.