Decoding the Mirai Attack: Port Scanning and Protecting Your Network

Imagine waking up one morning and discovering that your favorite websites like Twitter, PayPal, Spotify, and Netflix are inaccessible due to a staggering Distributed Denial of Service (DDoS) attack. This was a reality for some Americans in October 2016, when their digital services were crippled by the notorious Mirai malware that terrorized not only organizations but also entire nations. This malignant code made headlines again in the same year by shutting down Liberia’s internet service.

This potential digital plague, known as Mirai, is now freely available on the dark web and poses a significant threat to nations, organizations, and even individuals. Fortunately, these attacks have underscored the vulnerability of an increasing number of Internet of Things (IoT) devices. Now, we are not just focused on expanding connectivity, but also investing in the protection of these devices long-term. Massive connectivity forecasts made years ago by Ericsson – predicting a staggering 50 billion connected devices (Gartner’s less generous estimate puts it at 20 billion) by 2020 – did not highlight any associated risks. However, recent events have brought these concerns to light.

The silver lining is that we now have a defense against the Mirai malware. The startup company IoT Defense Inc., based in the Washington DC Metro area, has launched a web scanner specifically designed to indicate whether your network is exposed to Mirai. This life-saving tool scans for opened TCP ports and notifies users if their systems are safe.

The scanner identifies and inspects susceptible ports such as HTTP (port 80 by default), HTTPS, FTP, SSH, Telnet (23 and 2323), and Microsoft Remote Desktop Protocol (RDP), among others. A worrying statistic reveals that nearly 40% of IoT devices may be vulnerable to threats including DDoS attacks, primarily if an attacker gains access to an unprotected device. Once they have broken in, these attackers can insert malware, which in turn overwhelms service providers with unmanageable and unwanted traffic. This inbound traffic eventually results in network shutdown due to maxed-out capacity, as seen during the Dyn attack in the US. The Liberia attack is another example, where traffic exceeded 500 gigabits per second, a scale unprecedented for a nation serviced by a single fibre cable for its 4.3 million citizens.

Attackers exploit these unprotected ports in IoT devices, including routers and DVRs, to carry out their malevolent actions. The port scanner launched by IoT Defense Inc. scans these ports to ascertain their security. The scanner itself, designed by combining Python, Node JS and Jade frameworks, inspects almost a dozen ports that can be potentially exploited by botnets. The scanner is freely available and easy to use, with minimal guidance necessary for operation.

While rebooting affected devices may be a feasible solution to smaller attacks, larger DDoS attacks are resilient; botnets continue to scan susceptible ports even after the device is rebooted. T. Roy, the CEO of IoT Defense, recommends that vendors should implement auto-update features and unique passwords for each device, and only keep necessary ports open to better protect devices from attacks.

This article was updated in 2025 to reflect modern realities.