skip to Main Content


Discovering Mirai-infected IoT devices via Merit’s network telescope

Merit Research is pleased to announce that data capturing malicious internet of things (IoT) activities, attributed to the Mirai botnet, is now being available to researchers and cybersecurity analysts. The data were captured at Merit’s large network telescope (a network telescope, aka Darknet, is an unused, but routed, IP address space that is utilized for the collection and analysis of unsolicited internet traffic; such traffic is usually associated with nefarious activity such as scanning, worm propagation, spoof-based denial of service attacks, etc. — see [1] for more details). The data is being made available through the DHS IMPACT project [2].
[visibility type=”hidden-phone”]

The Mirai botnet used IoT devices, like security cameras, to produce some of the largest DDoS attacks ever recorded.







[/visibility] As described in our previous blog post [3], the Mirai botnet was responsible for some of the largest Distributed Denial of Service (DDoS) attacks ever recorded. The large scale of these volumetric DDoS attacks (attack volume reached 1 terabytes-per-second (Tbps) in some occasions) can be attributed to the huge population of Mirai-infected IoT devices that participated in the attacks. The botnet was (and still is!) able to easily self-propagate by aggressively scanning for open Telnet (TCP ports 23 and 2323) services running at insecure IoT devices such as home routers and IP cameras. Briefly speaking, once a listening Telnet connection got identified, the bot aimed to forcefully authenticate in a brute-force manner. In other words, the bot tried several username/password combinations that are usually set as default ones by the IoT manufacturer (one infamous example is “admin/admin”). Upon successful authentication the malicious payload was installed, and the IoT device was ready to receive instructions (such as directions for launching DDoS attacks against specific victims) from its “command & control” center.

The botnet author uploaded the Mirai source-code in a publicly accessible hacker forum in September 2016 (see [4]). This gave the opportunity to several security researchers (including members of our team) to get a glance at the code. Careful inspection of the code revealed a unique fingerprint that could be used to identify Mirai’s scanning efforts. In particular, the scanning function of the source code crafts the probing packets in a very specific way: the “initial TCP sequence packet” is set equal to the “destination IP” of the victim. This is probably done for efficient, non-blocking scanning, but it also allows for easy scanning identification! We looked at data captured at our longitudinal Darknet monitor, and we were able to identify thousands of infected IoT devices1. For the record, the first Mirai scan appeared in our Darknet on August 1, 2016.

This dataset can enable cybersecurity researchers to characterize the population of infected IoT devices and potentially understand patterns and trends in its evolution. It also provides a mechanism to assess network reputation and network hygiene. Interested researchers are encouraged to visit and request access to the dataset.


[1] “Internet Background Radiation Revisited”,
[2] Information Marketplace for Policy and Analysis of Cyber-Risk & Trust, sponsored by the Department of Homeland Security,
[3] “A View on the IoT-enabled DDoS Attacks Against Dyn from Merit’s Vantage Point”, Feb. 2017,
[4] “Who is Anna-Senpai, the Mirai Worm Author?”, Krebs on Security,


1 For interested researchers, longitudinal Darknet datasets are also made available to cyber-security researchers via IMPACT.