Understanding the Mirai Botnet
Abstract
The Mirai botnet, composed primarily of embedded
and IoT devices, took the Internet by storm in late 2016
when it overwhelmed several high-profile targets with
massive distributed denial-of-service (DDoS) attacks. In
this paper, we provide a seven-month retrospective analysis
of Mirai’s growth to a peak of 600k infections and
a history of its DDoS victims. By combining a variety
of measurement perspectives, we analyze how the botnet
emerged, what classes of devices were affected, and
how Mirai variants evolved and competed for vulnerable
hosts. Our measurements serve as a lens into the fragile
ecosystem of IoT devices. We argue that Mirai may represent
a sea change in the evolutionary development of
botnets—the simplicity through which devices were infected
and its precipitous growth, demonstrate that novice
malicious techniques can compromise enough low-end
devices to threaten even some of the best-defended targets.
To address this risk, we recommend technical and nontechnical
interventions, as well as propose future research
directions.