Академический Документы
Профессиональный Документы
Культура Документы
Mirai Botnet
✝ ◆ ★ ‡ ✱
Manos Antonakakis , Tim April , Michael Bailey , Matthew Bernhard , Elie Bursztein
△ ‡ ‡ ✱
Jaime Cochran , Zakir Durumeric , J. Alex Halderman , Luca Invernizzi
! ★ ✝ ★ ★
Michalis Kallitsis , Deepak Kumar , Chaz Lever , Zane Ma , Joshua Mason
✱ ◆ △ ✱ ★
Damian Menscher , Chad Seaman , Nick Sullivan , Kurt Thomas , Yi Zhou
◆ △ ✝ ✱
Akamai Technologies, Cloudflare, Georgia Institute of Technology, Google, ●Merit Network
★ ‡
University of Illinois Urbana-Champaign, University of Michigan
2016 2020
6 - 9 Billion ~30 Billion
Relay Load
Report
Bots
Attack
DDoS Target
Report
Malware Repository 594 binaries
Active/Passive DNS 499M daily RRs
Devices Scan Victim C2 Milkers 64K issued attacks
Bots
Krebs DDoS Attack 170K attacker IPs
Attack
Dyn DDoS Attack 108K attacker IPS
DDoS Target
July 2016 - February 2017
600,000
500,000
400,000
300,000
200,000
100,000
0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date
120,000
600,000 100,000
500,000 80,000 23:59 PM 64,500 scanners
400,000
60,000
300,000
40,000 3:59 AM Botnet Expands
200,000
Mirai TCP/23 scans
100,000 Non-Mirai TCP/23 scans
0
0
08
08
08
08
08
08
08
08
08
08
08
08
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
-0
/0
/0
/0
/0
/0
/0
/0
/0
/0
/0
/0
1
3
1
Date
06
12
18
00
06
12
18
00
06
12
18
00
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
:0
0
0
Date
600,000 TCP/23
TCP/2323
500,000
400,000
“IoT Telnet” TCP/2323
300,000
200,000
100,000
0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date
600,000 TCP/7547
500,000
400,000
300,000
200,000
100,000
0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date
600,000 TCP/7547
500,000
400,000
300,000
200,000
100,000
0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date
300,000
200,000
100,000
0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date
9 Additional Protocols
100,000
0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date
600,000
500,000
Carna botnet
400,000
300,000
0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date
Binary Packing
DGA
“It is possible, investigators say, that the attack on Dyn was conducted by a criminal
group that wanted to extort the company. Or it could have been done by “hacktivists.”
Or a foreign power that wanted to remind the United States of its vulnerability.”
“It is possible, investigators say, that the attack on Dyn was conducted by a criminal
group that wanted to extort the company. Or it could have been done by “hacktivists.”
Or a foreign power that wanted to remind the United States of its vulnerability.”
Mirai
33% volumetric, 32% TCP state, 34% application attacks
Limited reflection/amplification
2.8% reflection attacks, compared to 74% for booters
600,000 TCP/7547
500,000
CWMP TCP/7547
400,000
~1 month = 6.7K
300,000
200,000
100,000
0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date
2016 2020
6 - 9 Billion ~30 Billion
◆ △ ✝ ✱ ●Merit
Akamai Technologies, Cloudflare, Georgia Institute of Technology, Google, Network
★ ‡
University of Illinois Urbana-Champaign, University of Michigan
zanema2@illinois.edu