Figure 8: C2 Cluster Lookup Volume — The DNS lookup volume of C2 DNS clusters in a large U.S. ISP establishes the relative
size of the botnet behind each cluster and chronicles its rise and fall. Note, for example, cluster 1 which represents the original botnet
in use for the early high profile attacks on Krebs and OVH and the emergence of a myriad of clusters after the public source release.
neering efforts. Between November 2, 2016 and February
28, 2017, we observed 48 new sets of usernames and
passwords, as well as changes to the IP blacklist. We note
that while many actors modified the set of credentials,
they often did so in different ways (Figure 9). This is
true for other features as well. In one example, a variant
evolved to remove U.S. Department of Defense blocks
from the initial scanning blacklist. The malware further
evolved to use new infection mechanisms. Most notably,
in late November 2016, Mirai variants began to scan for
TCP/7547 and TCP/5555, two ports commonly associated
with CWMP [15, 93]. Additionally, one malware strain
began to using domain generation algorithms (DGA) in
the place of a hardcoded C2 domain, though this feature
was short lived. By November 2016, packed binaries had
emerged.
Techniques to improve virulence and to aide in relia-
bility were not simply limited to the client binaries. We
found evidence of operators using DNS to avoid or at-
tempt to evade detection as well. Recent work by Lever
et al. demonstrated how attackers abuse the residual trust
inherited by domains to perform many, seemingly un-
connected types of abuse [55]. Mirai was no different
from other types of malware — we found evidence that at
least 17% of Mirai domains abused residual trust. Specif-
ically, these domains expired and were subsequently re-
registered before they were used to facilitate connections
between bots and C2 servers. This serves as a reminder
that although Mirai is unique in many ways, it still shares
much in common with the many threats that came before
it.
By combining the malware we observed with our DNS
data, we can also measure the evolution of the C2 clusters
in Table 8. We note that cluster 2 — the third largest by
lookup volume — evolved to support many new features,
such as scanning new ports TCP/7547 and TCP/5555,
adding DGA, and modifying the source code blacklist to
exclude Department of Defense (DoD) blocks. This is
not to say, however, that evolution guaranteed success.
Figure 9: Password Evolution — The lineage of unique pass-
word dictionaries, labeled with their associated clusters, depicts
many malware strains modifying the default credential list to
target additional devices. The node marked (*) indicates the
released source code password dictionary and serves as the
foundation for the all divergent password variants
Cluster 23, which can be seen clearly in Figure 9, evolved
very rapidly, adding several new passwords over its active
time. Despite this evolution, this cluster was 19th out of
33 clusters in terms of lookup volume over time and was
unable to capture much of the vulnerable population. We
also note that not all successful clusters evolved either; for
example, cluster 6, which showed no evolutionary trend
from its binaries, received the highest lookup volume of
all the clusters.
6
Mirai’s DDoS Attacks
The Mirai botnet and its variants conducted tens of thou-
sands of DDoS attacks during our monitoring period. We
explore the strategies behind these attacks, characterize
their targets, and highlight case studies on high-profile
targets Krebs on Security, Dyn, and Liberia’s Lonestar
Cell. We find that Mirai bore a resemblance to booter ser-
USENIX Association
26th USENIX Security Symposium 1103
Attack Type
Attacks
Targets
Class
HTTP flood
2,736
1,035
A
UDP-PLAIN flood
2,542
1,278
V
UDP flood
2,440
1,479
V
ACK flood
2,173
875
S
SYN flood
1,935
764
S
GRE-IP flood
994
587
A
ACK-STOMP flood
830
359
S
VSE flood
809
550
A
DNS flood
417
173
A
GRE-ETH flood
318
210
A
Table 9: C2 Attack Commands — Mirai launched 15,194 at-
tacks between September 27, 2016–February 28, 2017. These
include [A]pplication-layer attacks, [V]olumetric attacks, and
TCP [S]tate exhaustion, all of which are equally prevalent.
vices (which enable customers to pay for DDoS attacks
against desired targets), with some Mirai operators target-
ing popular gaming platforms such as Steam, Minecraft,
and Runescape.
6.1
Types of Attacks
Over the course of our five month botnet infiltration,
we observed Mirai operators issuing 15,194 DDoS at-
tack commands, excluding duplicate attacks (discussed
in Section 3). These attacks employed a range of dif-
ferent resource exhaustion strategies: 32.8% were vol-
umetric, 39.8% were TCP state exhaustion, and 34.5%
were application-layer attacks (Table 9). This breakdown
differs substantially from the current landscape of DDoS
attacks observed by Arbor Networks [7], where 65% of
attacks are volumetric, 18% attempt TCP state exhaus-
tion, and 18% are higher-level application attacks. While
amplification attacks [79] make up 74% of attacks issued
by DDoS-for-hire booter services [40], only 2.8% of Mi-
rai attack commands relied on bandwidth amplification,
despite built-in support in Mirai’s source code. This ab-
sence highlights Mirai’s substantial capabilities despite
the resource constraints of the devices involved.
6.2
Attack Targets
Studying the victims targeted by Mirai sheds light on its
operators. We analyzed the attack commands issued by
Mirai C2 servers (as detailed in Section 3) to examine who
Mirai targeted. In total, we observed 15,194 attacks issued
by 484 C2 IPs that overlapped with 24 DNS clusters (Sec-
tion 5). The attacks targeted 5,046 victims, comprised of
4,730 (93.7%) individual IPs, 196 (3.9%) subnets, and 120
(2.4%) domain names. These victims ranged from game
servers, telecoms, and anti-DDoS providers, to political
websites and relatively obscure Russian sites (Table 10).
The Mirai source code supports targeting of IPv4 sub-
nets, which spreads the botnet’s DDoS firepower across
an entire network range. Mirai issued 654 attacks (4.3%)
that targeted one or more subnets, with the three most
frequently targeted being Psychz Networks (102 attacks,
0.7%), a data center offering dedicated servers and DDoS
mitigation services, and two subnets belonging to Lones-
tar Cell (65 combined attacks, 0.4%), a Liberian telecom.
We also saw evidence of attacks that indiscriminately tar-
geted large swathes of the IPv4 address space, including
5 distinct /8 subnets and one attack on /0 subnet — the
entire IPv4 space. Each of the /8 and /0 subnets, (with
the exception of the local 10.0.0.0/8) contain a large
number of distributed network operators and total IP ad-
dresses, which drastically exceed the number of Mirai
bots. As such, the Mirai attacks against these subnets
likely had modest impact.
If we exclude targeted subnet (due to their unfocused
blanket dispersion across many networks), we find that
Mirai victims were distributed across 906 ASes and
85 countries. The targets were heavily concentrated in the
U.S. (50.3%), France (6.6%), the U.K. (6.1%), and a long
tail of other countries. Network distribution was more
evenly spread. The top 3 ASes — OVH (7.8%), Cloud-
flare (6.6%) and Comcast (3.6%) — only accounted for
18.0% of victims.
The three most frequently targeted victims were
Liberia’s Lonestar Cell (4.1%), Sky Network (2.1%), and
1.1.1.1 (1.6%). We examine Lonestar Cell in depth in
Section 6.3. Sky Network is a Brazilian company that
operates servers for Minecraft (a popular game), which is
hosted by Psychz Networks. The attacks against Psychz
began on November 15, 2016 and occurred sporadically
until January 26, 2017. 1.1.1.1 was likely used for test-
ing [95]. Additional game targets in the top 14 victims in-
cluded a former game commerce site longqikeji.com, and
Runescape, another popular online game. The prevalence
of game-related targets along with the broad range of other
otherwise unrelated victims shares many characteristics
with previously studied DDoS booter services [39].
For volumetric and TCP state exhaustion attacks, Mi-
rai optionally specified a target port, which implied the
type of service targeted. We find a similar prevalence
of game targets — of the 5,450 attacks with a speci-
fied port, the most commonly attacked were 80 (HTTP,
37.5%), 53 (DNS, 11.5%), 25565 (commonly Minecraft
servers [31,65], 9.2%), 443 (HTTPS, 6.4%), 20000 (often
DNP3, 3.4%), and 23594 (Runescape game server, 3.4%).
Interestingly, the 7th most common attack target was an
IP address hosted by Voxility that was associated with one
of the Mirai C2 servers, and we note that 47 of 484 Mirai
C2 IPs were themselves the target of a Mirai DDoS attack.
By clustering these 484 C2 IPs by attack command, we
identified 93 unique clusters, of which 26 (28%) were
1104 26th USENIX Security Symposium
USENIX Association