Understanding the Mirai Botnet
Manos Antonakakis
Tim April
‡
Michael Bailey
†
Matthew Bernhard
Elie Bursztein
◦
Jaime Cochran
Zakir Durumeric
J. Alex Halderman
Luca Invernizzi
◦
Michalis Kallitsis
§
Deepak Kumar
†
Chaz Lever
Zane Ma
†∗
Joshua Mason
†
Damian Menscher
◦
Chad Seaman
‡
Nick Sullivan
Kurt Thomas
◦
Yi Zhou
†
‡
Akamai Technologies
Cloudflare
Georgia Institute of Technology
◦
Google
§
Merit Network
†
University of Illinois Urbana-Champaign
University of Michigan
Abstract
The Mirai botnet, composed primarily of embedded
and IoT devices, took the Internet by storm in late 2016
when it overwhelmed several high-profile targets with
massive distributed denial-of-service (DDoS) attacks. In
this paper, we provide a seven-month retrospective anal-
ysis of Mirai’s growth to a peak of 600k infections and
a history of its DDoS victims. By combining a variety
of measurement perspectives, we analyze how the bot-
net emerged, what classes of devices were affected, and
how Mirai variants evolved and competed for vulnerable
hosts. Our measurements serve as a lens into the fragile
ecosystem of IoT devices. We argue that Mirai may rep-
resent a sea change in the evolutionary development of
botnets — the simplicity through which devices were in-
fected and its precipitous growth, demonstrate that novice
malicious techniques can compromise enough low-end
devices to threaten even some of the best-defended targets.
To address this risk, we recommend technical and non-
technical interventions, as well as propose future research
directions.
1
Introduction
Starting in September 2016, a spree of massive distributed
denial-of-service (DDoS) attacks temporarily crippled
Krebs on Security [46], OVH [43], and Dyn [36]. The ini-
tial attack on Krebs exceeded 600 Gbps in volume [46] —
among the largest on record. Remarkably, this overwhelm-
ing traffic was sourced from hundreds of thousands of
some of the Internet’s least powerful hosts — Internet of
Things (IoT) devices — under the control of a new botnet
named Mirai.
While other IoT botnets such as BASHLITE [86] and
Carna [38] preceded Mirai, the latter was the first to
emerge as a high-profile DDoS threat. What explains
Mirai’s sudden rise and massive scale? A combination
∗
Denotes primary, lead, or “first” author
of factors — efficient spreading based on Internet-wide
scanning, rampant use of insecure default passwords in
IoT products, and the insight that keeping the botnet’s
behavior simple would allow it to infect many hetero-
geneous devices — all played a role. Indeed, Mirai has
spawned many variants that follow the same infection
strategy, leading to speculation that “IoT botnets are the
new normal of DDoS attacks” [64].
In this paper, we investigate the precipitous rise of Mi-
rai and the fragile IoT ecosystem it has subverted. We
present longitudinal measurements of the botnet’s growth,
composition, evolution, and DDoS activities from Au-
gust 1, 2016 to February 28, 2017. We draw from a
diverse set of vantage points including network telescope
probes, Internet-wide banner scans, IoT honeypots, C2
milkers, DNS traces, and logs provided by attack vic-
tims. These unique datasets enable us to conduct the first
comprehensive analysis of Mirai and posit technical and
non-technical defenses that may stymie future attacks.
We track the outbreak of Mirai and find the botnet
infected nearly 65,000 IoT devices in its first 20 hours
before reaching a steady state population of 200,000–
300,000 infections. These bots fell into a narrow band of
geographic regions and autonomous systems, with Brazil,
Columbia, and Vietnam disproportionately accounting for
41.5% of infections. We confirm that Mirai targeted a
variety of IoT and embedded devices ranging from DVRs,
IP cameras, routers, and printers, but find Mirai’s ultimate
device composition was strongly influenced by the market
shares and design decisions of a handful of consumer
electronics manufacturers.
By statically analyzing over 1,000 malware samples,
we document the evolution of Mirai into dozens of vari-
ants propagated by multiple, competing botnet operators.
These variants attempted to improve Mirai’s detection
avoidance techniques, add new IoT device targets, and in-
troduce additional DNS resilience. We find that Mirai har-
nessed its evolving capabilities to launch over 15,000 at-
tacks against not only high-profile targets (e.g., Krebs
USENIX Association
26th USENIX Security Symposium 1093