4.2 How did it work?

Many consumer connected devices (sometimes known as IoT device) are built on an off-the-shelf embedded open source Linux platform, such as the Busybox. These devices are designed to be low cost and plug-and-play (easy to use).

To compete for the market, manufacturers often focus their designs on functionality and ease of use rather than security. To allow the convenience of remote controlling these devices, a standard server is often embedded and turned on by default so that users can control these devices anywhere once they are powered on and connected to the internet. The two commonly used servers are based on Teletype Network (Telnet) and Secure Shell (SSH), which are network protocols for providing a remote terminal to control a computer system. From this terminal, a user can completely take control of the computer, including the ability to download, install and execute software. SSH is more secure than Telnet as it uses encryption to protect the transmission of the data. However, as many of these IoT devices use default factory usernames and passwords, which can be found by a web search, even SSH’s encryption cannot protect against unauthorised access.

The Mirai malware exploits this remote control feature and uses it to take control of the connected devices. The botnet owner starts by installing the Mirai botnet software on a master computer, which will have overall control of the botnet. The software will continuously scan the internet using random IP addresses on ports 22 and 23, which are the default network ports for the SSH and Telnet servers respectively.

Once a victim is identified, Mirai will try and log in to their SSH/Telnet server using a list of known default usernames and passwords for commonly used consumer connected devices. After logging in to the device, the malware will record the device’s IP address, remote server type, username and password on its master computer for future reference. It will then download a copy of the Mirai malware and execute it on the victim’s computing system, which then becomes a part of the botnet and also scans the internet to find more victims. To ensure it has exclusive control of the device and to prevent other botnet malware from exploiting it, the malware will also close the ports for the SSH and Telnet servers and open secret ports for exclusive remote control of the device.

As these computing devices are usually running on fixed firmware, the malware cannot be installed on the device’s operating system. This means the malware will be erased if the device is rebooted. However, the malware keeps a record of its connection information at the master computer, so if a device is rebooted the master computer can attempt to reconnect to it quickly using the recorded connection information.

As mentioned before, a traffic volume of 20–40 Gbit/s is usually sufficient to bring down an ordinary website. In the Dyn attack, the Mirai botnet was thought to have control over 450 000 devices, each of which could generate 1–30 Mbit/s of traffic. This enabled the botnet owner to attack a website with hundreds of gigabits per second of traffic, which is enough to bring down even a well-protected company such as Dyn (Xander, 2016).

Another strength of the Mirai botnet is that it consists of devices randomly distributed all over the world. This randomness makes it very difficult to defend against a DDoS attack: because there is no apparent pattern to the traffic, it is hard to filter out the unauthorised traffic from the legitimate traffic.