Contents
IoT Attack Handbook
03 Introduction
05 Mirai Overview
09 Mirai Attack Vectors
10 DNS
12 VSE
14 STOMP
16 GREETH
19 GREIP
22 SYN
24 ACK
26 UDP
28 UDPPLAIN
30 HTTP
34 Attacks Included in Mirai Variants
36 STD
38 XMAS
40 Burst Attacks
43 Defense and Onward
45 Appendices
Released to the public by its author in 2016, it remains responsible
for some of the most damaging and widely publicized DDoS
attacks on the internet.
IOT ATTACK HANDBOOK | 3
Mirai is an IoT botnet
that was designed to
exploit vulnerabilities
in poorly secured IoT
devices for use in large-
scale DDoS attacks.
The threat of Mirai continues to change the
security landscape in signifcant ways. When
initially released, Mirai was a large botnet
capable of incredibly large attacks because
it maintained a large bot count. Today, Radware
witnesses factions of smaller Mirai botnets
rather than a few large ones. As more people
understand how to run it, more people are
competing for the pool of devices. In addition,
botnets like BrickerBot and Hajime eliminate
vulnerable devices from the available
infection pool.
Perhaps the most compelling aspect of Mirai
was the public release of the source code. Upon
release, anyone, anywhere, could create their
own botnet. With the source code available and
instructions clearly documented, new threat
actors had an existing framework that they
could modify by adding code for new vectors
or additional behavior to the botnets.
This has happened. Although Mirai is several
years old now, it is still active in its original form
in addition to modern variants. Botnets such
as Masuta, Owari, DaddysMirai and Orion all
include Mirai attack code. Evidence also suggests
that other IoT botnets like IoT_Reaper/IoTroop
and Satori are based on the Mirai framework,
albeit different approaches.
Most importantly, Mirai underscores the
potential of IoT as a DDoS attack tool and
how vulnerable poorly secured devices are.
INTRODUCTION
Not all IoT devices are susceptible to Mirai
infection. In fact, it can be diffcult to achieve and
maintain infection of a device. Even if a device
can be infected and join a Mirai botnet, many
devices behave differently once enslaved. For
example, some devices crash and reboot once
they are issued an attack command, which
fushes Mirai from its system. In another
example, it was observed that certain variables,
like source or destination IP, could not be accu-
rately implemented by a specifc device, thus
sending the attack to the wrong destination.
This handbook is a study of the original Mirai
attack vectors and some of its variants. Each
of the attacks is dissected in a lab environment,
allowing the reader to discover the fexibility
of each one. The intent is for the reader to
become familiar with each attack vector,
understand its profle and parameters, and think
about how to defend against each of these
attacks if needed.
THE INFAMOUS MIRAI BOTNET was responsible for some of the
largest and most distributive DDoS attacks in recent history,
including an attack against security journalist Brian Krebs’ website,
French web host OVH, and DNS provider Dyn. Commandeering
hundreds of thousands of IoT devices, it sent shock waves through
the security marketplace with traffc volumes exceeding 1Tbps.
UNDER
ATTACK
IOT ATTACK HANDBOOK | 4
INTRODUCTION。