Read Understanding the Mirai Botnet by Antonakakis, et al. The Mirai botnet is primarily made up of small IoT devices that can't typically generate a great deal of traffic. It was successful in part of the sheer number of devices involved, and the fact that it leveraged application-layer and state exhaustion attacks more than previous bots had; those attacks tend to exhaust computation and memory/storage resources on the server moreso than bandwidth into the server. You'll learn more about these attacks in the lecture preceding this recitation.
- Section 2 gives an overview of how Mirai operates.
- Section 3 describes how the authors detected the bots.
- Sections 4 and 5 discuss how the bot spread and evolved.
- Section 6 details how it mounted its DDoS attacks.
- Section 7 makes recommendation for protecting against similar attacks in the future.
- Why did Mirai work so well at this particular moment in time?
- Suppose you own an IoT device. What would you do, as an owner, to prevent it from becoming part of a Mirai botnet?
- This article describes an Internet of Things cybersecurity law that was passed in California. Do you think this law would be enough to protect against the version of Mirai described in the paper? What about future versions?
Question for Recitation
- What is unique about Mirai compared to other botnets?
- How does Mirai work? Both how does it infect a device, and how does it mount an attack
- Why are botnets so important these days, as we study computer security?