Jump to Content

Understanding the Mirai Botnet

Manos Antonakakis
Tim April
Michael Bailey
Matt Bernhard
Jaime Cochran
Zakir Durumeric
J. Alex Halderman
Michalis Kallitsis
Deepak Kumar
Chaz Lever
Zane Ma
Joshua Mason
Damian Menscher
Chad Seaman
Nick Sullivan
Yi Zhou
Proceedings of the 26th USENIX Security Symposium (2017)


The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks. In this paper, we provide a seven-month retrospective analysis of Mirai’s growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyze how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of botnets—the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets. To address this risk, we recommend technical and nontechnical interventions, as well as propose future research directions.