Mirai Internet of Things IoT DDoS sets record 600+ GB/Sec and your refrigerator could have been one of the attackers!

What is the Internet of Things (IoT) ?

In today’s technological expansion everything seems to be connected to the Internet, for instance in my own home I have my refrigerator, thermostat, video cameras, tablets, cell phone, TV, xbox, DirecTV box, printer, security system, laptops, servers, workstations, Ethernet tap, a switch and a router all connected to the Internet! This is all collectively referred to as the Internet of Things, basically everything connected to the interwebs.A lot of devices that connect to the internet now are a combination of hardware and software (firmware) and are not commonly updated and patched as that requires typically flashing the firmware. New vulnerabilities are being discovered daily in these devices and being used in botnets to conduct massive Distributed Denial of Service attacks.

There is a new botnet being used to conduct IoT attacks and it is called Mirai and the source code has been leaded onto github here https://github.com/jgamblin/Mirai-Source-Code

Mirai functions by infecting IoT devices by trying to brute force their passwords.The tactic it uses to brute force passwords is entering commonly used and default passwords. Several things have been noted in Mirai.Such as the bots being written in C and the command & control being written in Go and the fact it contains a list of IPs for which to avoid activating its scans on.

Denial of Service attack evolution

In the past layer 3 DoS attacks, DDoS and DrDoS attacks relied on either hacking mainly unix servers, exploiting software bugs, amplification attacks or malware/DDoS botnets mainly comprised of PCs. Massive botnets built this way have resulted in incredible attacks, some being clocked at over 400 Gigabytes a second! These attacks are very rare but large enough in scale to bring down just about anything on the web.Level 3 Communications, a telecommunications company and Internet service provider in Colorado, has identified the Mirai C2 infrastructure compromising and communicating with owned IoT devices. It also estimates that the number of compromised CCTV cameras, DVRs, home networking equipment overrun by Mirai has more than doubled from 213,000 to 493,000.

KrebsOnSecurity Report:

On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.

The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.

US-Cert Preventative Steps:

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.

Twitter Feed:


Here is the botnet being discussed on hackforums including the configuration and implementation of the software:

Here is a user on Hackforums discussing Mirai:

Leave a Comment