CYBERTRUST

DDoS in the IoT:

Mirai and Other
Botnets
Constantinos Kolias, George Mason University
Georgios Kambourakis, University of the Aegean
Angelos Stavrou, George Mason University
Jeffrey Voas, IEEE Fellow

The Mirai botnet and its variants and

imitators are a wake-up call to the industry make up for in numbers. Moreover,
because they’re constantly con-
to better secure Internet of Things devices nected to the Internet and seem-
ingly permeated with flaws—in
or risk exposing the Internet infrastructure many cases the outcome of na-
to increasingly disruptive distributed ive security configurations—they
constitute low-hanging fruit for
denial-of-service attacks. hackers. The large volume, perva-

T
siveness, and high vulnerability
of IoT devices have attracted many
he ubiquity and increasing popularity of the In- bad actors, particularly those orchestrating distributed
ternet of Things (IoT) have made IoT devices a denial-of-service (DDoS) attacks.
powerful amplifying platform for cyberattacks.
Given the recent headline-making severity and “THE FUTURE” IS HERE
frequent recurrence of security incidents involving such A recent prominent example is the Mirai botnet. First iden­
devices, they’ve clearly become the new weakest link in tified in August 2016 by the whitehat security research group
the security chain of modern computer networks. IoT MalwareMustDie,1 Mirai—Japanese for “the ­future”—and
devices might be the feeble brother of desktop systems, its many variants and imitators have served as the vehicle
yet what they lack in computational capabilities they for some of the most potent DDoS attacks in history.

80 CO M PUTE R P U B LISHED BY THE IEEE COMP UTER SOCIE T Y 0 0 1 8 - 9 1 6 2 / 1 7/ $ 3 3 .0 0 © 2 0 1 7 I E E E

 EDITOR JEFFREY VOAS
NIST; [email protected]

In September 2016, the website of

computer security consultant Brian C&C server Loader Report server Bot New bot victim Target server
Krebs was hit with 620 Gbps of traffic,
“many orders of magnitude more traf-
fic than is typically needed to knock
most sites offline.”2 At about the same 1. Brute force
time, an even bigger DDoS attack using
2. Report
Mirai malware—peaking at 1.1 Tbps—
targeted the French webhost and cloud 3. Check status
service provider OVH.3
In the wake of the public release of 4. Infect command 5. Malicious
Mirai’s source code by its creator soon binary
afterward,4 hackers offered Mirai bot-
nets for rent with as many as 400,000 6. Attack command
simultaneously connected devices.5 7. Attack
More Mirai attacks followed, notably
one in October 2016 against service pro-
vider Dyn that took down hundreds of
websites—including Twitter, Netflix,
Reddit, and GitHub—for several hours.6 Figure 1. Mirai botnet operation and communication. Mirai causes a distributed denial
Mirai primarily spreads by first of service (DDoS) to a set of target servers by constantly propagating to weakly config-
infecting devices such as webcams, ured Internet of Things (IoT) devices.
DVRs, and routers that run some ver-
sion of BusyBox (busybox.net). It then
deduces the administrative credentials Main components Botnet operation
of other IoT devices by means of brute A Mirai botnet is comprised of four and communication
force, relying on a small dictionary of major components. The bot is the mal- Initially, Mirai scans random public
potential username–password pairs. ware that infects devices. Its twofold IP addresses through TCP ports 23
Today, Mirai mutations are gener- aim is to propagate the infection to or 2323. Some addresses including
ated daily, and the fact that they can misconfigured devices and to attack a those of the US Postal Service, the
continue to proliferate and inflict target server as soon as it receives the Department of Defense, the Internet
real damage using the same intrusion corresponding command from the Assigned Numbers Authority, Gen-
methods as the original malware is in- person controlling the bot, or botmas- eral Electric, and Hewlett-Packard are
dicative of IoT device vendors’ chronic ter. The command and control (C&C) excluded, probably to avoid attract-
neglect in applying even basic secu- server provides the botmaster with a ing government attention.9 Figure 1
rity practices. centralized management interface shows the key steps in botnet opera-
Surprisingly, IoT botnets have re- to check the botnet’s condition and tion and communication.
ceived only sporadic attention from orchestrate new DDoS attacks. Typi-
researchers.7,8 If the security com- cally, communication with other parts Step 1. The bot engages in a brute-force
munity doesn’t respond more quickly of the infrastructure is conducted attack to discover the default creden-
and devise novel defenses, however, via the anonymous Tor network. The tials of weakly configured IoT devices.
ever-more sophisticated attacks will loader facilitates the dissemination of There are 62 possible username–​
become the norm and might disrupt executables targeting different plat- password pairs hardcoded in Mirai.
the Internet infrastructure itself. forms (18 in total, including ARM,
MIPS, and x86) by directly commu- Step 2. Upon discovering the cor-
MIRAI THROUGH nicating with new victims. The report rect credentials and gaining a shell (a
THE LOOKING GLASS server maintains a database with de- command-­l ine or graphical user inter-
Mirai causes a DDoS against a set of tails about all devices in the botnet. face), the bot forwards various device
target servers by constantly propagat- Newly infected ones typically directly characteristics to the report server
ing to weakly configured IoT devices. communicate with it. through a different port.

J U LY 2 0 1 7  81
CYBERTRUST

Communication sessions between bot and infrastructure Almost all stages of infection leave
1,200 a footprint that can be recognized
SYN through basic network analysis. Mirai
FIN signatures include
1,000 PSH + ACK (from infrastructure)
PSH + ACK (from bot)
›› sequentially testing specific
credentials in specific ports,
800 ›› sending reports that generate
Packet size (bytes)

distinctive patterns,
›› downloading a specific type of
600
binary code,
›› exchanging keep-alive
messages,
400
›› receiving attack commands that
have a specific structure, and
200 ›› generating attack traffic with
very few random elements.

0 Figure 2 shows some standard com-

0.5 1.0 1.5 2.0 2.5 3.0 munication patterns between an IoT
Time (s)
device that’s already infected but not
Figure 2. Distinctive communication patterns between an infected IoT device and Mi- actively launching any kind of attack
rai’s loader component. SYN (synchronize), FIN (finish), PSH (push), and ACK (acknowl- and Mirai’s loader component. Al-
edge) are standard TCP packet types. though the communication session
times vary, the type of messages, their
packet sizes, and the sequence of mes-
Step 3. Via the C&C server, the bot- receive attack commands. It does so by sages form a characteristic pattern in-
master frequently checks new pro- resolving a domain name hardcoded in dicative of the malware’s infection.
spective target victims as well as the the executable (by default, the value of
botnet’s current status by communi- this entry is cnc.changeme.com in Mi- MIRAI VARIANTS
cating with the report server, typically rai’s source code) rather than a static IP One would have expected the public
through Tor. address. Thus, the botmaster has the release of Mirai’s source code, coupled
luxury of changing his IP address over with its relatively noisy network pres-
Step 4. After deciding which vulnera- time without modifying the binary ence, to quickly lead to effective detec-
ble devices to infect, the botmaster is- and without extra communication. tion and defense mechanisms. How-
sues an infect command in the loader ever, the opposite occurred: within only
containing all necessary details—for Step 6. The botmaster instructs all two months of the source code’s release,
example, IP address and hardware bot instances to commence an attack the number of bot instances more than
architecture. against a target server by issuing a doubled, from 213,000 to 493,000, and a
simple command through the C&C wide range of Mirai variants emerged.11
Step 5. The loader logs into the target server with the corresponding para­ Even today—nearly a year after Mirai’s
device and instructs it to download meters such as the type and duration appearance—bots continue to exploit
and execute the corresponding bi- of attack and the IP addresses of the the same weak security configurations
nary version of the malware, typically bot instances and target server. in the same types of IoT devices.
via GNU Wget (www.gnu.org/software Although most Mirai infections
/wget/manual /wget.html) or the Trivial Step 7. The bot instances will start at- occur through TCP ports 23 and 2323,
File Transport Protocol. Interestingly, tacking the target server with one of Mirai strains identified in November
as soon as the malware is executed it 10 available attack variations such as 2016 rely on other TCP ports to com-
will attempt to protect itself from other Generic Routing Encapsulation (GRE), mandeer devices—for example, port
malware by shutting down points of TCP, and HTTP flooding attacks. 7547, which ISPs use to remotely man-
intrusion such as Telnet and Secure age customers’ broadband routers.
Shell (SSH) services. At this point, Mirai signatures That same month, one such Mirai vari-
the newly recruited bot instance can Compared to other similar malware,10 ant knocked nearly a million Deutsche
communicate with the C&C server to Mirai doesn’t try to avoid detection. Telekom subscribers offline.12

82 COMPUTER  W W W.CO M P U T E R .O R G /CO M P U T E R

 In February 2017, a Mirai variant having a centralized architecture, Hi- device vendors neglect security
launched a 54-hour-long DDoS attack jame relies on fully distributed com- in favor of user-friendliness
against a US college.13 The follow- munications and makes use of the and usability.
ing month, yet another novel variant BitTorrent DHT (distributed hash tag) ›› Poor maintenance. Most IoT devices
appeared with bitcoin miner func- protocol for peer discovery and the fall under the setup-and-forget
tionality, although it’s doubtful that uTorrent Transport Protocol for data umbrella—­after initially set-
compromising IoT devices would yield exchange. Every message is RC4 en- ting them up, users and net-
significant revenue.14 crypted and signed using public and work administrators forget
Active since April 2017, Persirai15 private keys. So far, Hajime hasn’t ev- about them unless they stop
is another IoT botnet that shares Mi- idenced malicious behavior; in fact, working properly.
rai’s code base. Discovered by Trend it actually closes potential sources ›› Considerable attack traffic. Con-
Micro researchers and named for its of vulnerabilities in IoT devices that trary to common belief, IoT de-
likely Iranian origin (the name is a Mirai-­
l ike botnets exploit, causing vices are powerful enough and
portmanteau of Persian and Mirai), it some researchers to speculate that it well situated to produce DDoS
attempts to access the interface of spe- was created by a whitehat.18 But its attack traffic comparable to that
cific vendors’ webcams through TCP true purpose remains a mystery. of modern desktop systems.
port 81. If successful, it then worms A BusyBox-based IoT botnet like ›› Noninteractive or minimally in-
its way into the client’s router through Mirai, BrickerBot was unearthed by teractive user interfaces. Because
a universal plug and play (UPnP) vul- Radware researchers in April 2017.19 IoT devices tend to require
nerability, downloads the malicious By leveraging SSH service default cre- minimum user intervention,
binaries, and, after execution, deletes dentials, misconfigurations, or known infections are more likely to go
them. Rather than deducing webcam vulnerabilities, this malware attempts unnoticed. Even when they’re
credentials via a brute-force attack, a permanent denial-of-service (PDoS) noticed, there’s no easy way for
the malware proliferates by exploiting attack against IoT devices using var- the user to address them short of
a documented zero-day flaw that lets ious methods that include defacing replacing the device.
attackers directly obtain the password a device’s firmware, erasing all files

T
file. The DDoS attack armory includes from its memory, and reconfiguring
User Datagram Protocol flooding at- network parameters. wo years ago we correctly pre-
tacks. An estimated 120,000 devices in dicted the emergence of IoT-­
the wild are vulnerable to Persirai. LESSONS LEARNED powered DDoS attacks,20 and
The dramatic impact of DDoS attacks today increasingly sophisticated Mirai
OTHER IOT BOTNETS by Mirai, its variants, and other similar variants and imitators are appearing at
Following Mirai’s example, other IoT botnets highlight the risks IoT devices an alarming rate. This malware typi-
botnets have recently emerged. While pose to the Internet. Currently, even cally runs on multiple platforms and is
relying on the same basic principles, naive approaches can gain control of usually lightweight enough to execute
the authors of this malware are explor- such devices and create a massive and in a tiny amount of RAM. In addition,
ing increasingly sophisticated mech- highly disruptive army of zombie de- the infection process is relatively sim-
anisms to make their botnets more vices. The ease of infection and stabil- ple, making every vulnerable device a
powerful than the competition as well ity of the generated bot population are bot candidate even with frequent re-
as to obfuscate their activity. alluring factors for any attacker. booting. Although most existing IoT
The first IoT botnet written in the There are five main reasons IoT de- malware is easy to profile and detect,
Lua programming language was re- vices are particularly advantageous newer bots are stealthier.
ported by MalwareMustDie in late Au- for creating botnets: Much of the responsibility for DDoS
gust 2016.16 Most of its army is com- attacks often lies with users who prac-
posed of cable modems with ARM CPUs ›› Constant and unobtrusive opera- tice poor security behaviors and sys-
and using Linux. This malware incor- tion. Unlike laptop and desktop tem administrators who fail to deploy
porates sophisticated features such computers, which have frequent adequate safeguards. In the case of IoT
as an encrypted C&C communication on–off cycles, many IoT devices botnets, however, it’s device vendors
channel and customized iptables rules such as webcams and wireless who should assume the responsibil-
to protect infected devices. routers operate 24/7 and in ity for naively distributing products
The Hajime botnet, discovered in many cases aren’t properly rec- with weak security, including default
October 2016 by Rapidity Networks,17 ognized as computing devices. credentials and remote access capabil-
uses a method of infection similar to ›› Feeble protection. In their rush to ities. IoT vendors are also in a unique
that of Mirai. However, rather than penetrate the IoT market, many position to provide the automated

J U LY 2 0 1 7  83
CYBERTRUST

security updates that would address preprint, 13 Feb. 2017, arXiv:1702 Infosecurity Mag., 20 Apr. 2017; www
the problem. Solutions that require .03681. .infosecurity-magazine.com/news
manual intervention—for example, 9. B. Herzberg, D. Bekerman, and I. /mirai-busting-hajime-worm-could.
frequently changing passwords—are Zeifman, “Breaking Down Mirai: An 19. “‘BrickerBot’ Results in PDoS At-
unrealistic in the IoT realm, where IoT DDoS Botnet Analysis,” blog, Im- tack,” Radware, 5 Apr. 2017; security
many devices must be self-regulating. perva Incapsula, 26 Oct. 2016; www .radware.com/ddos-threats-attacks
What we need now is the technical .incapsula.com/blog/malware /brickerbot-pdos-permanent-denial
means to enforce security best prac- -analysis-mirai-ddos-botnet.html. -of-service.
tices in computer networks as well as 10. S.S.C. Silva et al., “Botnets: A 20. C. Kolias, A. Stavrou, and J. Voas,
robust security standards for IoT de- Survey,” Computer Networks, vol. 57, “Securely Making ‘Things’ Right,”
vices and distributors. no. 2, 2013, pp. 378–403. Computer, vol. 48, no. 9, 2015,
11. Distributed Denial of Service (DDoS) pp. 84–88.
Threat Report: Q4 2016, threat report
REFERENCES 20170222-EN-A4, Nexusguard, 2017;
1. “MMD-0055-2016-Linux/PnScan; news.nexusguard.com/threat
ELF Worm That Still Circles Around,” -advisories/q4-2016-ddos-threat CONSTANTINOS KOLIAS is a
blog, MalwareMustDie, 24 Aug. 2016; -report. research assistant professor in the
blog.malwaremustdie.org/2016/08 12. “New Mirai Worm Knocks 900K Ger- Department of Computer Science at
/mmd-0054-2016-pnscan-elf-worm mans Offline,” blog, KrebsOnScurity, George Mason University as well as
-that.html. 16 Nov. 2016; krebsonsecurity.com lead engineer for the first IoT labora-
2. “KrebsOnSecurity Hit with Record /2016/11/new-mirai-worm-knocks tory at NIST. Contact him at kkolias@
DDoS,” blog, KrebsOnSecurity, 16 -900k-germans-offline. gmu.edu.
Sept. 2016; krebsonsecurity.com 13. D. Bekerman, “New Mirai Variant
/2016/09/krebsonsecurity-hit Launches 54 Hour DDoS Attack GEORGIOS KAMBOURAKIS is
-with-record-ddos. against US College,” blog, Imperva an associate professor in the
3. D. Goodin, “Record-Breaking DDoS Incapsula, 29 Mar. 2017; www Department of Information and
Reportedly Delivered by >145K .incapsula.com/blog/new-mirai Communication Systems Security
Hacked Cameras,” Ars Technica, 28 -variant-ddos-us-college.html. and director of the Laboratory of
Sept. 2016; arstechnica.com/security 14. D. McMillen and M. Alvarez, “Mirai Information and Communication
/2016/09/botnet-of-145k-cameras IoT Botnet: Mining for Bitcoins?,” Systems Security (Info Sec Lab)
-reportedly-deliver-internets-biggest Security Intelligence, 10 Apr. 2017; at the University of the Aegean.
-ddos-ever. securityintelligence.com/mirai-iot Contact him at [email protected].
4. J. Gamblin, “Mirai-Source-Code,” -botnet-mining-for-bitcoins.
GitHub; github.com/jgamblin/Mirai 15. T. Yeh, D. Chiu, and K. Lu, “Persirai: ANGELOS STAVROU is a professor
-Source-Code/blob/master/Forum New Internet of Things (IoT) Botnet in the Department of Computer
Post.txt. Targets IP Cameras,” blog, Trend- Science and director of the Center
5. C. Cimpanu, “You Can Now Rent Labs, 9 May 2017; blog.trendmicro for Assurance Research and
a Mirai Botnet of 400,000 Bots,” .com/trendlabs-security-intelligence Engineering (CARE) at George
BleepingComputer.com, 24 Nov. 2016; /persirai-new-internet-things-iot Mason University. Contact him at
www.bleepingcomputer.com/news -botnet-targets-ip-cameras. [email protected].
/security/you-can-now-rent-a-mirai 16. “MMD-0057-2016-Linus/LuaBot-IoT
-botnet-of-400-000-bots. Botnet as Service,” blog, Malware­ JEFFREY VOAS is a Fellow of
6. C. Williams, “Today the Web Was MustDie, 6 Sept. 2016; blog IEEE as well as of the American
Broken by Countless Hacked .malwaremustdie.org/2016/09 Association for the Advancement of
Devices—Your 60-Second Summary,” /mmd-0057-2016-new-elf-botnet Science (AAAS) and the Institution
The Register, 21 Oct. 2016; www -linuxluabot.html. of Engineering and Technology (IET).
.theregister.co.uk/2016/10/21/dyn 17. S. Edwards and I. Profetis, “Hajime: Contact him at [email protected]. 
_dns_ddos_explained. Analysis of a Decentralized Internet
7. E. Bertino and N. Islam, “Botnets and Worm for IoT Devices,” Rapidity Net-
Internet of Things Security,” Com- works; 16 Oct. 2016; security
puter, vol. 50, no. 2, 2017, pp. 76–79. .rapiditynetworks.com/publications Read your subscriptions
8. K. Angrishi, “Turning I­ nternet of /2016-10-16/hajime.pdf. through the myCS
publications portal at
Things (IoT) into Internet of Vul­ 18. P. Muncaster, “Mirai-Busting Hajime
http://mycs.computer.org
nerabilities (IoV): IoT Botnets,” arXiv Worm Could Be Work of White Hat,”

84 COMPUTER  W W W.CO M P U T E R .O R G /CO M P U T E R