The encapsulated IP packet header uses the same parameters as the encapsulating IP header. The Transport Layer protocol for the encapsulated IP packet is UDP.

Most public routers will pass along the GRE packet because it’s a widely used protocol for generating VPN connections. We speculate that GRE might be the protocol of choice due to its encapsulation nature, allowing huge payloads to be sent adding processing overhead of IP defragmentation to impact the target.

The Hidden Attack

While there is no record of this attack and no supported command to invoke it, there is an implementation of a so called “cfnull” attack that, which attacks the application layer. It is very similar to the GET/POST flood, but “cfnull” is designed to send a large POST payload of 80 MB of junk – a randomly composed alphabetic string – to the targeted server consuming webserver resources.

Bypassing Mitigation Devices

While analyzing Mirai’s offered attacks, we took the perspective of how to mitigate it.

According to Mirai’s creator, the so called “TCP STOMP” attack is a variation of the simple ACK flood intended to bypass mitigation devices. While analyzing the actual implementation of this attack it seems that the bot opens a full TCP connection and then continues flooding with ACK packets that have legitimate sequence numbers in order to hold the connection alive.

The Layer 7 “GET/POST” flood attacks support HTTP cookies and redirections that might handle simple bot challenges. While there is no actual support for bypassing more advanced challenges using JavaScript, several cloud DDoS scrubbing services are being fingerprinted by the Mirai bot.