Why We’ll Be Seeing More Mirai-Like DDoS Attacks This Year

Over the last few weeks, we’ve been writing about the rapid growth of DDoS carpet bomb attacks. Today, the Corero Threat Intelligence team is back with another major observation from 2022: the return of Mirai. Or, more specifically, Mirai-like botnet attacks.

In our 2023 DDoS Threat Intelligence Report, our researchers note that many recent distributed denial of service (DDoS) attacks have resembled botnets based on Mirai or a variant leveraging the Mirai code. They’ve also grown astonishingly fast: from 770 attacks in 2020 and 2872 in 2021 to an overwhelming 21,277 attacks in 2022.

Since the discovery of Mirai in 2016, cybersecurity experts have been tracking evolutions in its command and control, viral propagation methods, and attack vectors. Given the strength of the new Mirai variants, Corero expects to see them deployed as a potent DDoS weapon in the coming months and years.

So what exactly do these new DDoS attacks look like? More importantly, how can we stop them? Read on to explore what’s going on.

What is Mirai?

Mirai is malware that turns vulnerable networked devices — particularly IoT (internet of things) devices — into botnets for large-scale network attacks. It’s been used in some of the largest and most disruptive DDoS attacks of the last decade, including a major assault on the DNS provider Dyn and another on the French web hosting provider OVH.

Mirai-powered botnets have significant disruptive capabilities, generating massive volumes of traffic and overwhelming targeted systems. They operate by scanning the internet for vulnerable IoT devices with weak or default security settings, such as home routers, IP cameras, and DVRs. Once infected, these devices become part of the botnet and are controlled via the malware’s command and control infrastructure.

Mirai was first discovered in 2016 and has since gained significant attention due to its role in high-profile DDoS attacks. In the case of the Dyn DNS attack, Mirai was able to disrupt access to several major global websites, including Twitter, Reddit, and Netflix. The specific Mirai botnet responsible for this attack was leveraging the power of hundreds of thousands of compromised IoT devices, and it was the largest attack of its kind.

How was Mirai stopped?

The spread of Mirai was eventually halted through a collaborative effort by cybersecurity researchers, law enforcement agencies, manufacturers, and other stakeholders.

Security researchers, working with law enforcement agencies including the Federal Bureau of Investigation (FBI) and Europol, first identified and targeted the command and control servers used by the Mirai botnet. By disrupting the communication channels between infected devices and the botnet operators, they effectively crippled the botnet’s ability to carry out further attacks.

For their part, the manufacturers of vulnerable IoT devices responded to the Mirai threat by releasing security updates and patches to address the underlying vulnerabilities. Additionally, internet service providers (ISPs) and security firms collaborated to notify affected device owners, urging them to update their firmware, change default passwords, and take necessary security precautions. This collective effort aimed to remove compromised devices from the botnet and prevent reinfection.

What are the latest Mirai-like botnets?

While the initial wave of Mirai was stopped, its variants continue to pose a threat. Even with the cybersecurity community remaining vigilant and responding to emerging IoT threats, Mirai-like botnets are on the rise.

Corero’s researchers found that Mirai-like DDoS attacks increased by a startling 740% between 2021 and 2022 alone. They also found that this new generation of botnets leverages derivative or enhanced Mirai-like code that does not exclusively rely on compromised IoT devices or other vulnerable systems with weak security stacks.

Instead, many of the newer botnets appear to be leveraging paid hosting resources that deliver higher performance. That’s likely because pay-to-play distributed computing platforms are now affordable and available enough to justify the cybercrime economics of paying for hosting resources.

Important takeaways for defending Mirai-like DDoS attacks

DDoS attacks remain an ongoing threat, and our research indicates that attackers are constantly improving their methods to bypass outdated defense technologies. For internet service providers, hosting providers, and SaaS providers facing this resurgence of Mirai DDoS attacks, it is crucial to have the latest generation DDoS protection in place.

When assessing DDoS solutions, organizations should consider the following factors:

A flexible platform that caters to their specific needs.
Deployment options, including hardware, virtual, and integrated solutions, to match their infrastructure.
Protection measures that go beyond brute force mitigation to keep their business and their customers’ operations online.
Optional managed services that can supplement existing IT and security expertise.

Efficient DDoS protection for Mirai-like attacks requires a solution that can promptly detect new (zero-day) and emerging attack methods. This approach will minimize the risk of downtime and disruption to businesses.

To learn about our flexible, automatic DDoS protection platform SmartWall One and its advantages for Mirai DDoS protection, book a quick schedule some time to speak with one of our experts.