Mirai botnet FAQ

Alexander Bochmann Tuesday 21 of March, 2017
The APNIC blog has a guest post that explains quite a few operational details about the inner workings of the Mirai botnet components.

APNIC blog wrote:
Do C2 master and bot have heartbeat communication?

Yes. The heartbeat will involve sending and receiving the same 2 bytes of data (content is 0x0000). The interval time is about 60 seconds and the maximum timeout is 180 seconds.

Maybe having an IDS is not such a bad idea...

APNIC blog wrote:
What are the characteristics in GRE IP/ETH flood´╝č

GRE ETH flood adds a custom ETH layer then GRE IP flood; the ETH layer is randomly filled. The destination IP in the packet is also randomly filled if it is not specified in the command.

I remember that one puzzling quite a few people when they first noticed that kind of traffic...