Changes To Mirai Botnet Behavior On Election Day

1968 0

Using Project Heisenberg, the Rapid7 Labs team has been tracking Mirai botnet activity since Oct. 31, and we wanted to alert you to some notable differences in behaviour.

Here are the key findings as of this evening:

  • We’ve tracked over 360,000 unique IPv4 addresses associated with Mirai traffic since October 8, 2016 and have been monitoring another ramp up in activity that started around November 4, 2016
  • At mid-day on November 8, 2016 the traffic volume was as high as the entire day on November 6, 2016, with all indications pointing to a probable significant increase in botnet node accumulation by the end of the day
  • On November 6, 2016 the U.S. dropped out of the top 10 originating countries. As we dug into the data, we noticed a significant and sustained drop-off of Mirai nodes from two internet service providers: Comcast and UUNET (d/b/a Verizon Business)

It’s worth noting: regardless of the changes we’ve seen in the Mirai botnet over the last several days, we still do not expect Mirai, or any other online threat, to have an impact on today’s election. The most realistic, worst-case scenarios we envision for cyber-hijinks this election day are DDoS attacks, which can impact how people get information about the election.

Our full findings (with graphs) are published here:


rapid7Rapid7 security data and analytics software and services help organizations reduce the risk of a breach, detect and investigate attacks, and build effective IT security programs. With comprehensive real-time data collection, advanced correlation, and insight into attacker techniques, Rapid7 strengthens an organization’s ability to defend against everything from opportunistic drive-by attacks to advanced threats. Unlike traditional vulnerability management and incident detection technologies, Rapid7 provides visibility, monitoring, and insight across assets and users from the endpoint to the cloud. Dedicated to solving the toughest security challenges, Rapid7 offers proprietary capabilities to spot intruders leveraging today’s #1 attack vector: compromised credentials. Rapid7 is trusted by more than 3,700 organizations across 90 countries, including 30% of the Fortune 1000.

In this article