Much is already known about the Mirai botnet, due to a thorough writeup by Malware Must Die as well as a later publicly distributed source-code repository. This advisory provides information about attack events and findings prior to the Mirai code release as well as those occurring following its release. The advisory will also summarize pertinent research data and ultimately the processes that led to the associated findings. Signatures observed in real-world attacks are also included and may aid in the future detection and mitigation of Mirai-based attacks.
Mirai attack signatures were first observed in attacks against a security blog run by journalist Brian Krebs. The first attack, in the series of four, peaked at 623 Gbps. The timeline below represents the four attacks mitigated by Akamai.
Just days after this series of DDoS attacks, the source code for Mirai was made public. The next timeline represents the bandwidth in gigabits per second for Mirai-confirmed attacks occurring after this code was released. The bandwidth peak, although still substantial, has been observed at mostly under 100 Gbps in later attacks. In addition, most of the attacks were under 30 million packets per second.
The only attack peaking at just over the 30 million packet-per-second mark was the 261 Gbps attack on October 11. The overall lower packet rates can be attributed for the most part to the extra padding in many of the Mirai attacks seen so far. Most of these attack events used vectors with payloads padded with at least 512 bytes of data. These larger packets, while able to consume more bandwidth, typically have a lower packet throughput.