What is the Mirai Botnet?

Introduction

When Mirai malware was first introduced in 2016 and its code was publicly released, the damage it inflicted was swifter and more damaging to network traffic then any attack seen before. Today, Mirai continues to break records for assaults, disruptions, and outages due to new variants, a proliferation of IoT devices, and botnet-as-a-service kits that make it cheap and easy to launch attacks.

In this blog, we’ll take an in-depth look at the Mirai botnet, including how it works, the different Mirai variants, and their impact. We’ll also explain how to detect an attack and the different ways you can protect against the Miria botnet to prevent threat actors from using the technique to create chaos in your network and worse – steal data, extort your organization for ransom, or bring down the network entirely.

Background of the Mirai botnet

The Mirai botnet is one of the most prevalent attack vectors for DDoS attacks. Known for its typically short, high-intensity assaults, Mirai malware targets IoT devices which have backdoors that it uses to enter the device. Once the malware infiltrates the device, it self-propagates – scanning for other devices, infecting them, and bringing them into the botnet.

Origins and creation

Mirai, which means “future” in Japanese, was first seen in 2016 and attributed to Paras Jha and Josiah White, who created the malware to target Minecraft servers. In essence, the initial intent was to launch DDoS attacks leveraging the Mirai malware to take down Minecraft servers and then sell DDoS mitigation services to protect those very same servers. As competitive DDoS mitigation services entered the market, the creators also used Mirai to target those service providers.

Use and growth

Although Mirai malware was initially used as part of a scam to capitalize on the popularity of Minecraft, the creators released the malware publicly a week later and its use quickly spread. Even threat actors with minimal technical skills could repurpose the code to create their own IoT botnets. This made it easy for other cyber criminals to quickly adopt the malware to launch attacks against a multitude of hosting and internet service providers as well as targeted websites, networks, and other digital infrastructure.

Mirai malware infects IoT devices, turning them into a network of remoted controlled bots or “zombies”. This network is referred to as a botnet which makes it possible to launch powerful, volumetric DDoS attacks. Introduced nearly a decade ago, Mirai and its many variants remain a concerning and widespread threat.

How the Mirai botnet works

The Mirai botnet is a prime example of a DDoS botnet, a category of cyberattacks we explored in a previous blog. In a nutshell, DDoS botnets consist of networks of Internet-connected devices that cyber criminals use to launch DDoS attacks at scale. Whether motivated by financial or geopolitical reasons, cyber criminals infect the device with malware that allows them to control the device remotely thus turning it into a robot or “bot.” To maximize the impact of a DDoS attack they create groups of bots to form a botnet. Once cyber criminals have established a botnet, they can execute coordinated attacks against targeted systems by sending remote instructions to each bot. Each bot sends requests to the target’s IP address, causing the server or network to become overwhelmed and resulting in a denial-of-service to normal traffic.

The Mirai botnet specifically targets vulnerable IoT devices that have open ports or default usernames and passwords. Users of IoT devices sometimes aren’t aware of the importance of creating and maintaining secure passwords for these devices which leaves them vulnerable to attacks.

Infection methods

When the Mirai botnet finds a vulnerable device, it replicates itself, infects the device, and then moves on to find another vulnerable IoT device. The botnet initially had two primary ways to infect an IoT device.

• Default credentials – Mirai attempts to use the default credentials for the device, like “admin” and “password,” to gain access since many users didn’t customize the out-of-the-box credential settings.
• Bruteforce attacks – Mirai also tries different combinations of common usernames and passwords to force its way into the device.

Users are becoming increasingly savvy about creating and frequently updating passwords. So, today, Mirai and its variants also use vulnerabilities to gain access to devices.

Botnet operation and command and control

Once the device is infected with the Mirai malware, the attacker has control of the device and can start to wreak havoc using different types of botnet models and server models to send instructions.

• In a centralized botnet model, the attacker sends instructions from a central server, known as a command and control (C&C) server. The instructions typically include launching large-scale DDoS attacks that overwhelm the network with bogus traffic to degrade performance and eventually completely stop traffic. In this model, there is only one line of communication which remains open, making it easier for defenders to pinpoint the attack and stop it.
• Botnets can also be set up to use a tiered model of C&C servers where different servers are assigned to communicate with specific subgroups of devices. This makes the botnet harder to takedown.
• Peer-to-peer (P2P) botnet models take the level of complexity a step further. In this model, there are no C&C servers. Instead botnets perform dual functions – speaking to each other to orchestrate attacks and communicating with their designated group of devices to execute attacks. This more sophisticated approach is even more difficult to disrupt because there is no single point of failure.

Types of attacks

There are several different ways in which Mirai can amplify the impact of a DDoS attack to flood the network with illegitimate traffic and, ultimately, deny service.

• User Data Protocol (UDP) flood – the attacker sends a large number of UDP packets to a target port, overwhelming the server and making it unable to respond to legitimate requests so that it becomes unresponsive.
• Open resolver query flood – the attacker floods the network with requests that disrupt the domain name system (DNS) resolution process and make the server and its infrastructure inaccessible.
• Tsource engine query flood – the attacker uses Tsource engine queries and UDP traffic to overwhelm the server.
• Synchronized Sequence Number (SYN) flood – the attacker doesn’t complete the typical three-way TCP communication handshake required to establish a legitimate connection thereby keeping resources open and making them unavailable to communicate and send legitimate network traffic.
• ACK flood – similar to a SYN flood attack, the attacker disrupts a different aspect of the TCP handshake by overloading a server with ACK (short for acknowledgement) packets which acknowledge receipt of a message.
• Generic Routing Encapsulation (GRE) flood – the attacker spoofs the source IP address and sends small GRE and IP packets to multiple devices or servers to amplify the response and flood the network with a massive surge of data.
• HTTP flood – a type of application layer or layer 7 attack, the attacker overwhelms the server with HTTP requests.

Major attacks and Incidents

Although Mirai malware was primarily designed to impact Minecraft users, when the creators publicly released the code in October 2016, a wave of widespread DDoS attacks affected users around the globe and made headline news.

• Rutgers University (2014-2016). The university’s web services and intranet were targeted over two years, disrupting access to grades, admissions, and course plans for students and staff.
• OVH (September 2016). An unprecedented DDoS attack of 1 Tbit/s impacted this French web hosting provider that was providing DDoS protection services to Minecraft servers.
• Krebs on Security (September 2016). DDoS attacks that reached 620 Gbit/s were made against security researcher and journalist, Brian Krebs, after writing about cyber threats. Krebs later researched and correctly attributed the attacks to the Mirai creators.
• ProxyPipe (September 2016). The Mirai creators targeted this company for providing DDoS protection to Minecraft servers and were eventually stopped after ProxyPipe detected and had the botnet shutdown on its C2 server.
• Dyn (October 2016). Three consecutive attacks on this DNS provider rocked the industry as the impact was felt across Europe and the U.S.
• Deutsche Telekom routers (November 2016). Attempts were made to recruit over 900,000 routers as bots. While the attempt failed, the impact of the activity caused widespread internet connectivity loss.
• Lonestar Telecom (November 2016). This Liberian telecom provider was offline for large periods of time as it experienced hundreds of debilitating Mirai botnet DDoS attacks.

Dyn DNS attack

The Dyn DNS attack marked a turning point in the Mirai botnet landscape for several reasons:

• It was the first major attack after the Mirai source code was released.
• It demonstrated the ease with which threat actors with little to no technical skills could launch damaging attacks.
• It triggered a proliferation of similar attacks that impacted organizations and users around the globe.
• It became a catalyst for threat actors to create and profit from copycat variants.

Other significant attacks

Mirai and its variants remain responsible for extremely disruptive attacks that are escalating in size and sophistication and have resulted in a 7x increase in Mirai-like botnet attacks. These variants generally follow the same architecture but use different means to exploit vulnerable IoT devices and some use DDoS attacks as tool to collect ransom. Recent examples include:

• CatDDoS Botnet attack (2023). A majority of CatDDoS botnet attacks targeted organizations in countries including China, U.S., Japan, Singapore, and France with more than 300 attacks observed on any given day. The CatDDoS malware (a Mirai variant) exploits more than 80 known security flaws in software that impacts routers and other networking gear.
• 44 PB Mirai Botnet attack (2024). Corero researchers blocked 1.44 PB of malicious traffic in an 8-hour Mirai Botnet DDoS attack against a single organization. Typically, Mirai botnet DDoS attacks are short but intense. This attack was unusual for its longer duration and massive scale (the equivalent of over one million hours of TV streaming).
• Gorilla Botnet attack (2024). A new botnet malware family called Gorilla, a Mirai variant, is reported to have issued over 300,000 attacks during three weeks in 100 countries. Gorilla supports multiple CPU architectures and comes with capabilities to connect with one of five predefined C&C servers to await DDoS commands.

Impact and consequences of the Mirai botnet

The history of Mirai botnet attacks over the last several years clearly shows the ease with which other threat actors with little to no technical knowledge can use it to launch very damaging attacks. The availability of botnet-as-a-service kits further reduces the barrier to entry, with some kits costing less than $20/month. What’s more, the extremely damaging variants that ensued have amplified the impact and made these attacks even more challenging to defend against due to their more sophisticated tactics and distributed operating models.

Economic and operational impact

Mirai botnet attacks have both an economic and operational impact to organizations, including:

• Lost revenue
• Lost customers
• Payment of large ransoms
• Fines and other financial implications of data breaches
• Reputational damage

Repercussions for IoT Security

Because IoT devices are the initial target and point of infiltration for Mirai botnet attacks, organizations should consider ways to mitigate the risk of IoT devices becoming infected. These include:

• Update IoT device software and firmware to the latest version to address vulnerabilities
• Create strong usernames and passwords and change them frequently; consider using a password generator to reduce the burden on the user
• Disable any unused devices
• Disable remote access of the IoT device if not needed
• Segment your network so that IoT devices are on a separate network from systems critical for daily operations
• Retire old devices that are no longer supported by the vendor and upgrade to new devices
• Contact your IoT device vendor to see if they now offer security solutions and/or seek out IoT device vendors that do

Mitigation and defense strategies against Mirai botnet attacks

In addition to addressing security weaknesses in your IoT devices and how you deploy and use them, a combination of best practices and technology aimed at defending the network itself against Mirai botnet attacks is also critical. Recommendations include:

• Keep application software and operating systems up to date. Install patches for vulnerabilities as soon as they are released by your software and network device vendor, prioritizing those patches that botnets are known to exploit.
• Use anti-malware tools. A solution that identifies and removes malware can help eliminate infection.
• Rate limit traffic. Where possible, rate limit traffic to prevent volumetric attacks.
• Proactively monitor your network. Monitor the network for anomalous behavior that could indicate botnet or some other form of malicious activity.
• Disable unnecessary services. A general rule of thumb is to disable services that are not being used as they are typically not on the IT team’s radar for updates and can become an easy vector for attackers to exploit.
• Add firewall rules and IDS/IPS. Add specific firewall policies and implement IDS/IPS technology to detect and block activity that could indicate DDoS botnet attack attempts.
• Use a DDoS protection platform. The most comprehensive way to mitigate DDoS attacks, including DDoS botnet attacks, is with DDoS protection. The best solutions will block attacks and protect against follow-on threats including data leakage, ransom attacks, and other threats to your operations while allowing legitimate traffic to go through. This allows organizations to maintain uninterrupted service availability even in the midst of a DDoS attack.
• Leverage threat intelligence. By continuously monitoring and analyzing global threat data, DDoS intelligence services offer insights into emerging attack vectors, tactics, and trends. This enables organizations to strengthen their defense by proactively implementing countermeasures that address specific vulnerabilities and threats.

Conclusion

Mirai botnet attacks continue to increase in complexity and frequency and remain a notorious threat to organizations around the world. As the use of increasingly complex IoT devices and malware variants proliferates these attacks show no sign of slowing down. Additionally, the volumetric, amplification, and self-propagating factors make DDoS botnet attacks a particularly powerful force to deal with.

Organizations need to strengthen their approaches to protect IoT devices including strong passwords, network segmentation, and updating software and firmware. However, it’s also critical to defend the network against the impact of Mirai botnet attacks. Fortunately, there are multiple best practices and technologies organizations can use, including proactively monitoring the network for anomalous activity, rate limiting traffic, disabling unnecessary services, adding firewall rules and IDS/IPS technology, and using a DDoS protection solution and DDoS threat intelligence services.

DDoS protection coupled with intelligence to stay ahead of emerging threats, provides uninterrupted service availability even in the midst of a DDoS botnet attack and can also protect you from other types of DDoS attacks and the follow-on malicious activity that can threaten your operations. Visit our threat intelligence research center for more information on how to decode Mirai.