Mirai and How Your IP Camera Brought down the Internet

By 1st February 2019November 12th, 2019No Comments

It’s Friday, friends, and it means that cybersecurity time has come! Today I would like to talk about the infamous Mirai. This canorous Japanese word denotes a dangerous malware, the botnet in nature, that took down big websites via massive DDoS (distributed denial-of-service) attack using hundreds of thousands of compromised IoT devices. But everything in order!

The History of Mirai and How It Took down the Internet

Anna-senpai, the alleged author of the malware, gave the name after the anime series Mirai Nikki.

On August 1, 2016, the infection started from a bulletproof hosting (hostings which are often used by spammers for online gambling or illegal pornography) and spread rapidly doubling its size every 76 minutes according to an independent Cloudflare research.

On August 2, Mirai had already infected more than 65,000 IoT devices. By 2020 the number of IoT devices per person is expected to be 6.58, so in August 2016 we can assume that dozens of thousands of people experienced the attack!

The first report of Mirai dates back to that year’s September when it carried out a massive DDoS attack against the blog of Brian Krebs — a famous security journalist, and one of the largest web hosting provider in the world — OVH. From that time, security researchers from MalwareMustDie learned about Mirai.

On October 21, 2016, a Mirai disturbed name-resolution service of DYN. Put simply, the DDoS attack cut down internet users from such popular websites as Airbnb, Amazon, Github, HBO, Netflix, Paypal, Reddit, and Twitter.

The peak of the malware took place in November. By that time Mirai had already infected over 600,000 IoT devices. On November 26, 2016, Deutsche Telekom, one of the largest German Internet providers, suffered a massive service outage. 900,000 of its routers were compromised.

It’s worth noting that this time an innovative buggy version of Mirai was to blame. Attempting to compromise the routers, the variant simply knocked the devices offline. This incident demonstrates how the weaponization of already complex malware can lead to very poor botnets. The facts were made public after Daniel Kaye pleaded guilty and admitted the story during the trial.

How Mirai Works

In lay terms, Mirai is a computer worm that finds, attacks, and infects vulnerable IoT devices. Moreover, Mirai is also considered a botnet since the infected device is controlled from a central set of command and control servers. Such C&C servers tell the infected devices which websites to attack further. By and large, Mirai is made of two critical components: a replication module and an attack module.

Most of the breached devices were routers and cameras. Notably, the malware actively removed any banner identification which explains the inability to identify the majority of other devices.

Mirai’s Outcome

Bad news: Anna-senpai published the source code for Mirai in darknet as open-source. Remarkably, the hacker retired after the creation of this notorious malware.

The code release gave birth to a proliferation of copycat hackers who started to run their own Mirai botnets. From that time, the attacks were no longer tied to a single player but to multiple groups, which made the attacks and their consequences more significant than ever.

Defense Against Mirai’s DDoS Attacks

Mirai still poses a threat. Good news: victims of Mirai attacks have no control over uninfected and poorly secured devices. Modern cybersecurity companies can offer various methods against Mirai’s botnets. Just google that and stay protected!

At ROKKEX, we take security extremely seriously and our crypto exchange is built on ‘Security First’ principle. We want to share our expertise with the broader public for the world to become happy, safe, and wise.

If you have any ideas and suggestions, contact us at

Website . LinkedIn . Facebook . Twitter . Telegram . Reddit . Instagram 

Leave a Reply