The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks. In this paper, we provide a seven-month retrospective analysis of Mirai’s growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyze how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of botnets—the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets. To address this risk, we recommend technical and nontechnical interventions, as well as propose future research directions.
Understanding the Mirai Botnet
- Download Publication • Bibtex
- Conference Usenix Security 2017
- Authors Manos Antonakakis , Tim April , Michael Bailey , Matt Bernhard , Elie Bursztein , Jaime Cochran , Zakir Durumeric , J. Alex Halderman , Luca Invernizzi , Michalis Kallitsis , Deepak Kumar , Chaz Lever , Zane Ma , Joshua Mason , Damian Menscher , Chad Seaman , Nick Sullivan , Kurt Thomas , Yi Zhou