The Expansion of IoT since Mirai.

The idea of an Internet of Things (IoT) botnet is nothing new in our industry. In fact, the threat has been discussed for many years by security researchers. It has only now gained public attention due to the release and rampage of the Mirai botnet. Since Mirai broke the 1Tbps mark in late 2016 the IoT threat has become a popular topic of conversation for many industries that utilize connected devices. Not only are companies worried about if their devices are vulnerable but they are also worried if those devices can be used to launch a DDoS attack, one possibly aimed at their own network.

There have been two key outcomes since the publication of the Mirai’s source code. One is that it has given everyone the ability to easily build and customize their own IoT botnet. Second is that it has created demand for a security standard for IoT devices. Most of these IoT devices are infected within minutes of being connected to the internet and most users do not know how to secure the devices themselves.

Spreading the epidemic.

Digital vending solutions and kiosks around the world are rapidly becoming more advanced. Some of these devices are connected to the internet with a mobile router so they can help improve accuracy and efficiency of the service by collecting and storing data. Companies using this new technology can connect to these devices to view sales reports, check inventory and monitor service issues. Unfortunately, in a rush to connect everything some of these devices used for remote monitoring have been found to have multiple vulnerabilities including weak credential management. This left these new smart solutions exposed online to attackers.

Botnets like qBot, Hajime, Mirai and others target these smart solutions by using scanners designed to locate connected devices with exposed ports and default credentials. Once infected these devices look to spread their malware and persistently target more and more devices every day. The IoT botnet scanners will look for vulnerable devices connected to the internet and attempt to gain access by brute forcing the login with a set of default passwords. Once it gains privileged access it will load the malicious source code appropriate to the architecture and enslave the device into the botnet.

[You might also like: IoT Threats: Whose problem is it?]

Since we started tracking the Mirai botnet we have monitored 2,790 attacks, most of which are basic UDP flood and DNS water torture attacks. When Mirai was released, the scanner included 61 default passwords. All a bot herder has to do is collect and add more default credentials from other manufacturers to a scanner and they will be able to enslave new devices into their botnet.

Why is this happening?

The problem with IoT devices is that they are always on, 24/7, and can produce large scale attacks when infected. Unlike a PC botnet, when an IoT bot herder wants to launch an attack, they will have most of the infected devices online and ready to go. The increase of available devices participating in an IoT attack, in combination with faster internet connections, can result in massive 1Tbps DDoS attacks. These devices are scanned, targeted and infected within minutes of being activated and connected, and are attacked hundreds of times a day by other IoT devices that have already been infected.

IoT devices are sold vulnerable in the form of number of services and ports that are open by default. Users who don’t know to change default passwords immediately will hardly be able to know how to reconfigure the device and close specific ports.

IoT devices are sold with very weak credentials. They are often root:root or admin:admin and are hardly ever changed by the end user when deployed. Once these devices become infected, the malware will change the default password to prevent the user from logging in and to prevent other attackers from taking over their infected bots.

Since the publication of Mirai, a number of attackers have deployed their own IoT botnets and are actively scanning and looking for new victims. Even just a botnet with a few thousand infected IoT devices could cause major problems for businesses – from mere resource consumption to significant service degradation or even a complete outage. Even worse, DDoS-for-Ransom groups are now using IoT botnets like Mirai as intimidation in their ransom notes.


The IoT threat is a serious one but one that can be simply resolved. While it’s almost impossible to educate everyone on how to change their user name and passwords on these devices, it is possible for manufacturers to incorporate security features into the design and production of these devices, in particular security telnet communication and its associated ports. Default passwords must be random and users should be advised with simple instructions on how to change them.

We also recommend home users take these four steps to better prepare:

• Stay current – Update firmware and software regularly
• Authentication – Use unique credentials for each device
• Configuration – Close unnecessary ports and disable unnecessary services
• Segment – Create separate network zones for your IoT systems


Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center