Breaking Down the Mirai Botnet

The DDoS attack last year that took down Dyn, a DNS provider, was reported widely in the media. The blackout, which lasted a handful of hours on October 21, affected Twitter, Tumblr, Pinterest, PayPal and The Wall Street Journal, among others. 

We now know that a Mirai IoT botnet was to blame for the damage. During a recent online Q&A session I spoke about the disruptive malware.

The Mirai malware goes mostly after Linux-based IoT devices although new variants also target Windows machines. Amassed in a large-scale botnet attack these devices infected with Mirai can bring down a network with multiple types of DDoS attacks. Mirai is often deployed as part of a DDoS for hire network. 

In the Dyn case, the attack was specific and aimed directly at the Dyn DNS authoritative server. Dyn represents 10 percent of all the top 1000 websites rated by Alexa

Cycling Through Default Passwords for Access

The Mirai malware, which was released, scans a network for a list of 61 commonly used and factory-issued credentials, usernames and passwords. By doing so, it aims to gain access to your device and infect it. Some people forget to change their default usernames and password on a new camera or router. Since the source code was released, several variants are using other attack vectors as well.

But what if your IoT device doesn’t have one of these 61 golden passwords? Is it safe from Mirai?

The simple answer is no. Since Mirai’s source code was released, attackers modified it so that it tries to attack devices using other vulnerabilities and credentials as well.

Detecting Mirai

What if a Mirai DDoS attack infects your website? How can you tell if your site is already infected?

First check your ports – specifically ports 22 and 23 (SSH and Telnet respectively). This is where Mirai targets to enter your machine. You will need to restart your device and pay close attention to how it responds. New variants now target other ports as well.

In fact, if any of your ports are open to the internet you may be vulnerable to infection. That is part of the problem with IoT devices. They use the internet in order to enhance our lives, but some of them are not well protected against threats.

The Incapsula global network tracks a lot of websites and traffic. We’re working on a system to warn ISPs that have many Mirai devices on their machines. In addition to Mirai, we also track big botnets like those using the Nitol malware for example.

Flexible and Deadly

Since the attack on Dyn was definitely a massive DDoS attack, I was asked if Mirai malware can be used for other “things”.

Mirai is flexible enough to launch several types of DDoS attacks such as network layer and application layer attacks. However, if you have CCTV and you are using default credentials, you can bet that people are also looking through your cameras for fun and profit. It is always a good idea to change your default credentials even if you do not care if your device is being used for DDoS attack.

I was also asked what the characteristics of a Mirai attack look like. For example, does it look like other DDoS attacks we have seen before?

Looking at the Dyn attack specifically it appeared to come from 100,000 machines, which makes it a very big attack. But unlike larger amplification attacks that we’ve seen in the last year, Mirai is able to accommodate more effective types of attacks, like concealing itself by sending fake GRE protocol messages. This can take a high toll on your edge router’s CPU and slow down mitigation.

What can be done to prevent attacks like Mirai?

With the scale of a Mirai attack organizations need to be prepared for the volume and scale of the attack. 

A good first step is to have a game plan and determine what you need to do in the event of an attack. 

Next, conduct an audit of your site so you know your site’s weaknesses and how to secure them.

Finally, you need to have better redundancy. Many of the organizations that were affected on Oct. 21 did not have redundancy in providers of name servers. The problem was not with Dyn. Big websites should employ more than one service provider to be totally redundant and safe from downtime. 

Every day we learn more and more about Mirai DDoS attacks. Its sheer scale and power is alarming, but the good news is you can take steps now to secure your website and networks against it.

This blog post was written by Ben Herzberg, Security Research Manager for Imperva Incapsula, an Partner. If you have any questions regarding website security, reach out to and Imperva Incapsula today!

About Author

Partner Blog Author
We are pleased to have our official Partners submit informative, educational blog posts that we hope you find useful and beneficial to your organization!

Featured Posts