Threat Advisory: Mirai Botnet

Author: Chad Seaman

Overview

Much is already known about the Mirai botnet, due to a thorough writeup by Malware Must Die as well as a later publicly distributed source-code repository. This advisory provides information about attack events and findings prior to the Mirai code release as well as those occurring following its release. The advisory will also summarize pertinent research data and ultimately the processes that led to the associated findings. Signatures observed in real-world attacks are also included and may aid in the future detection and mitigation of Mirai-based attacks.

Attack Events Timeline, Statistics, & Signatures

Mirai attack signatures were first observed in attacks against a security blog run by journalist Brian Krebs. The first attack, in the series of four, peaked at 623 Gbps. The timeline below represents the four attacks mitigated by Akamai.

Krebs DDoS Attack Size and Dates
Figure 1: First series of observed Mirai attacks launched against Brian Krebs

Just days after this series of DDoS attacks, the source code for Mirai was made public. The next timeline represents the bandwidth in gigabits per second for Mirai-confirmed attacks occurring after this code was released. The bandwidth peak, although still substantial, has been observed at mostly under 100 Gbps in later attacks. In addition, most of the attacks were under 30 million packets per second.

Mirai Confirmed DDoS - After Source Code Release
Figure 2: Timeline of attacks that Akamai mitigated following the Mirai code release

The only attack peaking at just over the 30 million packet-per-second mark was the 261 Gbps attack on October 11. The overall lower packet rates can be attributed for the most part to the extra padding in many of the Mirai attacks seen so far. Most of these attack events used vectors with payloads padded with at least 512 bytes of data. These larger packets, while able to consume more bandwidth, typically have a lower packet throughput.