Target
Attacks
Cluster
Notes
Lonestar Cell
616
2
Liberian telecom targeted by 102 reflection attacks.
Sky Network
318
15, 26, 6
Brazilian Minecraft servers hosted in Psychz Networks data centers.
1.1.1.1
236
1,6,7,11,15,27,28,30
Test endpoint. Subject to all attack types.
104.85.165.1
192
1,2,6,8,11,15,21,23,26,27,28,30
Unknown router in Akamai’s AS.
feseli.com
157
7
Russian cooking blog.
minomortaruolo.it
157
7
Italian politician site.
Voxility hosted C2
106
1,2,6,7,15,26,27,28,30
C2 domain from DNS expansion. Exists in cluster 2 seen in Table 8.
Tuidang websites
100
—
HTTP attacks on two Chinese political dissidence sites.
execrypt.com
96
—
Binary obfuscation service.
auktionshilfe.info
85
2,13
Russian auction site.
houtai.longqikeji.com
85
25
SYN attacks on a former game commerce site.
Runescape
73
—
World 26 of a popular online game.
184.84.240.54
72
1,10,11,15,27,28,30
Unknown target hosted at Akamai.
antiddos.solutions
71
—
AntiDDoS service offered at react.su.
Table 10: Mirai DDoS Targets — The top 14 victims most frequently targeted by Mirai run a variety of services. Online games, a
Liberian cell provider, DDoS protection services, political sites, and other arbitrary sites match the victim heterogeneity of booter
services. Many clusters targeted the same victims, suggesting a common operator.
Attack Target
Date
Sample Size
Intersection
Akamai
†
09/21/2016
12,847
96.4%
Google Shield
†
09/25/2016
158,839
96.4%
Dyn
10/21/2016
107,464
70.8%
Table 11: Mirai Attack IPs — Client IPs from attacks on Krebs
on Security (denoted
†
) and Dyn (denoted ) intersected signifi-
cantly with Mirai-fingerprinted scanning our network telescope,
confirming that both attacks were Mirai-based, but the lower
Dyn intersection hints that other hosts may have been involved.
targeted least once. This direct adversarial behavior reaf-
firms the notion of multiple, competitive botnet operators.
6.3
High Profile Attacks
Several high profile DDoS attacks brought Mirai into the
limelight beginning in September 2016. We analyze the
following three Mirai victims as case studies: Krebs on
Security, Dyn, and the Liberian telecom provider Lones-
tar.
Krebs on Security
The popular Krebs on Security blog
has had a long history of being targeted by DDoS attacks
(Figure 10), and on September 21, 2016 was subject to
an unprecedented 623 Gbps DDoS attack — with Mirai as
the prime suspect. Placing this attack in context, it was
significantly larger than the previously reported largest
publicly-disclosed DDoS attack victim (i.e., Spamhaus at
300+ Gbps [77]), but we note that attacks to non-disclosed
targets of 500 Gbps and 800 Gbps were reported in 2015
and 2016 respectively [7]. To confirm the origin of the
attack, we intersected a list of 12,847 attack IPs observed
by Akamai with the Mirai IPs we saw actively scanning
during that period. We found a 96.4% overlap in hosts.
Google Shield, who later took over DDoS protection of
Figure 10: Historical DDoS Attacks Targeting Krebs on Se-
curity — Brian Krebs’ blog was the victim of 269 DDoS attacks
from 7/24/2012–9/22/2016. The 623 Gbps Mirai attack on
9/21/2016 was 35 times larger than the average attack, and the
largest ever recorded for the site.
the site, separately maintained a larger sample of 158,839
attack IPs for an HTTP attack on September 25, 2016.
When given the Mirai scanning IPs from that day, they
found 96% of their attack IPs overlapped. Our results
illustrate the potency of the Mirai botnet, despite its com-
position of low-end devices concentrated in Southeast
Asia and South America. We also identified which C2
clusters were responsible for some of the largest attacks
by correlating attack commands with naming infrastruc-
ture, and we note that cluster 1 (Figure 7) was responsible
for this attack.
Dyn
On October 21, 2016, Dyn, a popular DNS
provider suffered a series of DDoS attacks that disrupted
name resolution for their clients, including high-traffic
sites such as Amazon, Github, Netflix, PayPal, Reddit,
and Twitter [71]. Consistent with Dyn’s postmortem re-
port [36], we observed 23 attack commands that targeted
Dyn infrastructure, from 11:07–16:55 UTC. The first
21 attacks were primarily short-lived (i.e., 25 second)
USENIX Association
26th USENIX Security Symposium 1105
SYN floods on DNS port 53, along with a few ACK and
GRE IP attacks, and followed by sustained 1 hour and
5 hour SYN attacks on TCP/53. We note a 71% intersec-
tion between the 107K IPs that attacked Dyn and Mirai
scanning in our network telescope. This indicates that,
while the attack clearly involved Mirai, there may have
been other hosts involved as well.
Although the first several attacks in this period solely
targeted Dyn’s DNS infrastructure, later attack commands
simultaneously targeted Dyn and PlayStation infrastruc-
ture, potentially providing clues towards attacker mo-
tivation. Interestingly, the targeted Dyn and PlaySta-
tion IPs are all linked to PlayStation name servers —
the domain names ns<00–03>.playstation.net re-
solve to IPs with reverse DNS records pointing to
ns<1-4>.p05.dynect.net, and the domain names
ns<05–06>.playstation.net resolve to the targeted
PlayStation infrastructure IPs.
The attacks on Dyn were interspersed amongst other
attacks targeting Xbox Live, Microsoft DNS infrastruc-
ture, PlayStation, Nuclear Fallout game hosting servers,
and other cloud servers. These non-Dyn attacks are either
ACK/GRE IP floods, or VSE, which suggests that the
targets were Valve Steam servers. At 22:17 UTC, the
botnet issued a final 10 hour-long attack on a set of Dyn
and PlayStation infrastructure. This pattern of behavior
suggests that the Dyn attack on October 21, 2016 was not
solely aimed at Dyn. The attacker was likely targeting
gaming infrastructure that incidentally disrupted service
to Dyn’s broader customer base. The attack was carried
out by Cluster 6.
Lonestar Cell
Attacks on Lonestar Cell, a large tele-
com operator in Liberia and the most targeted victim
of Mirai (by attack account), have received significant
attention due to speculation that Mirai substantially de-
teriorated Liberia’s overall Internet connectivity [14, 42].
Others have questioned these claims [45]. We cannot pro-
vide insight into Liberia’s network availability; instead,
we analyze attack commands we observed. Beginning
at 10:45 UTC on October 31, 2016 until December 13,
2016, a single botnet C2 cluster (id 2) issues a series of
341 attacks against hosts in the Lonestar AS. 87% of the
attacks are SYN or ACK floods and targeted both full sub-
nets and addresses within 168.253.25.0/24, 41.57.81.0/24,
and 41.57.85.0/24, all of which belong to Lonestar Cell
or its parent company, MTN Group.
In addition to IP targets, we observe an NXDO-
MAIN attack issued on November 8, 2016 that targeted
simregistration.lonestarcell.com. A single C2
IP never seen previously or subsequently issued a single
attack on December 14. Attacks on Lonestar infrastruc-
ture continued again at 09:24 UTC on January 16, 2017
and persisted until February 8, 2017, issuing 273 attacks
from a single C2 IP address. In total there were 616 at-
tacks, 102 of which used reflect traffic against Voxility,
Google, Facebook, and Amazon servers towards Lonestar
networks. The attack was carried out by C2 cluster 2
and used the C2 domains: “mufoscam.org”, “securityup-
dates.us”, “jgop.org”, and “zugzwang.me”.
As we have seen, Mirai primarily used direct, non-
reflective attacks on a wide range of protocols including
the less common GRE and VSE protocols. Even without
relying on amplification attacks, Mirai was still able to in-
flict serious damage as evidenced by high-profile attacks
against Krebs on Security, Dyn, and Lonestar Cell. Fur-
thermore, the juxtaposition of attacker geography (largely
Southeast Asia and South America) and victim geography
(majority in the U.S.) places a spotlight on the importance
of global solutions, both technical and non-technical, to
prevent the rise of similar botnets. Otherwise, adversaries
will continue to abuse the most fragile hosts to disrupt the
overall Internet ecosystem.
7
Discussion
Mirai has brought into focus the technical and regulatory
challenges of securing a menagerie of consumer-managed,
interfaceless IoT devices. Attackers are taking advantage
of a reversal in the last two decades of security trends
especially prevalent in IoT devices. In contrast to desktop
and mobile systems, where a small number of security-
conscious vendors control the most sensitive parts of the
software stack (e.g. Windows, iOS, Android) — IoT de-
vices are much more heterogeneous and, from a secu-
rity perspective, mostly neglected. In seeking appropri-
ate technical and policy-based defenses for today’s IoT
ecosystem, we draw on the experience of dealing with
desktop worms from the 2000s.
Security hardening
The Mirai botnet demonstrated
that even an unsophisticated dictionary attack could com-
promise hundreds of thousands of Internet-connected de-
vices. While randomized default passwords would be a
first step, it is likely that attacks of the future will evolve
to target software vulnerabilities in IoT devices much like
the early Code Red and Confickr worms [8, 70]. To miti-
gate this threat before it starts, IoT security must evolve
away from default-open ports to default-closed and adopt
security hardening best practices. Devices should con-
sider default networking configurations that limit remote
address access to those devices to local networks or spe-
cific providers. Apart from network security, IoT de-
velopers need to apply ASLR, isolation boundaries, and
principles of least privilege into their designs. From a
compliance perspective, certifications might help guide
consumers to more secure choices as well as pressure
manufacturers to produce more secure products.
1106 26th USENIX Security Symposium
USENIX Association