Mirai Botnet
What is Mirai Botnet?
Mirai BotnetAn IoT malware family first seen in 2016 that recruits routers, cameras, and DVRs through default credentials and was used in the Dyn DNS DDoS that broke much of the U.S. internet.
Mirai is an IoT malware family first identified in August 2016 that scans the internet for Linux-based devices — routers, IP cameras, DVRs — exposing Telnet (and later SSH) with a list of well-known default credentials. Infected devices report to a C2 server and can launch high-volume DDoS attacks, including HTTP, UDP, TCP-SYN, and DNS amplification. Mirai was used in the September 2016 attack on Brian Krebs's site (~620 Gbps), the October 2016 attack on DNS provider Dyn that disrupted Twitter, Spotify, Netflix, and many other services, and an attack on the French hoster OVH (>1 Tbps). The source code was released publicly in October 2016, spawning many forks (Satori, Okiru, Owari, Mozi). Three U.S.-based authors (Paras Jha, Josiah White, Dalton Norman) later pleaded guilty.
● Examples
- 01
Scanning the IPv4 internet for Telnet on port 23 and brute-forcing 60+ default credentials such as admin/admin and root/xc3511.
- 02
Launching a multi-Tbps DDoS that knocked the DNS provider Dyn offline in October 2016.
● Frequently asked questions
What is Mirai Botnet?
An IoT malware family first seen in 2016 that recruits routers, cameras, and DVRs through default credentials and was used in the Dyn DNS DDoS that broke much of the U.S. internet. It belongs to the OT / ICS / IoT category of cybersecurity.
What does Mirai Botnet mean?
An IoT malware family first seen in 2016 that recruits routers, cameras, and DVRs through default credentials and was used in the Dyn DNS DDoS that broke much of the U.S. internet.
How does Mirai Botnet work?
Mirai is an IoT malware family first identified in August 2016 that scans the internet for Linux-based devices — routers, IP cameras, DVRs — exposing Telnet (and later SSH) with a list of well-known default credentials. Infected devices report to a C2 server and can launch high-volume DDoS attacks, including HTTP, UDP, TCP-SYN, and DNS amplification. Mirai was used in the September 2016 attack on Brian Krebs's site (~620 Gbps), the October 2016 attack on DNS provider Dyn that disrupted Twitter, Spotify, Netflix, and many other services, and an attack on the French hoster OVH (>1 Tbps). The source code was released publicly in October 2016, spawning many forks (Satori, Okiru, Owari, Mozi). Three U.S.-based authors (Paras Jha, Josiah White, Dalton Norman) later pleaded guilty.
How do you defend against Mirai Botnet?
Defences for Mirai Botnet typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mirai Botnet?
Common alternative names include: Mirai, Mirai malware.
● Related terms
- ot-iot№ 551
IoT Botnet
A network of compromised Internet-of-Things devices remotely controlled to launch attacks such as DDoS, credential stuffing, click fraud, or cryptomining.
- malware№ 119
Botnet
A network of internet-connected devices infected with malware and remotely controlled by an attacker to perform coordinated activities.
- attacks№ 329
Distributed Denial-of-Service (DDoS) Attack
A denial-of-service attack carried out from many distributed sources simultaneously — typically a botnet — to overwhelm a target's bandwidth, infrastructure, or application.
- attacks№ 290
DDoS Amplification
A DDoS technique that abuses UDP-based services to reflect responses many times larger than the spoofed request, allowing small attackers to generate massive flood volumes.
- ot-iot№ 552
IoT Security
The discipline of protecting Internet-of-Things devices, gateways, networks, and cloud services from compromise, given their scale, constrained resources, and long lifetimes.
- malware№ 201
Command and Control (C2)
The infrastructure and channels attackers use to maintain communication with compromised systems and send them instructions.