Mirai Botnet: IoT Devices Take Down the Internet's Infrastructure
A botnet of 600,000 hacked CCTV cameras and routers — all using default factory passwords — launched a 1.2 Tbps DDoS attack against DNS provider Dyn, knocking Twitter, Netflix, Reddit, and hundreds of major sites offline.
Background
By 2016 hundreds of millions of internet-connected consumer devices — cameras, routers, DVRs — shipped with default usernames and passwords like "admin/admin" or "root/1234" that users never changed. The devices ran stripped-down Linux and had no mechanism for automatic firmware updates.
The Attack
Three college students created Mirai — a portmanteau of "future" in Japanese — which scanned the entire IPv4 internet for IoT devices, attempted login with 61 default credential pairs, and if successful, enrolled the device into the botnet. By October 2016 Mirai controlled over 600,000 devices. On October 21, the botnet directed all traffic at Dyn, a DNS provider whose infrastructure resolved domains for Twitter, Netflix, Spotify, Reddit, CNN, GitHub, and hundreds more. Three waves of DDoS traffic peaking at 1.2 Tbps brought Dyn's infrastructure to its knees for most of the US East Coast.
Response
Dyn mitigated the attack after approximately two hours but suffered additional waves throughout the day. The source code for Mirai was released publicly, spawning dozens of variants. The FCC and FTC launched investigations into IoT security. Several IoT device manufacturers were compelled to issue firmware updates.
Outcome
The Mirai DDoS was the largest ever recorded at that time. The three creators pleaded guilty and received sentences of community service and fines. The attack demonstrated that the insecure IoT ecosystem posed systemic internet infrastructure risk. California subsequently passed the first IoT security law (SB-327) requiring unique default passwords.
Key Takeaways
- Default credentials on any internet-connected device must be changed before deployment
- Manufacturers must ship devices with unique per-device passwords
- IoT devices should not be directly internet-accessible — place behind NAT and firewalls
- DNS infrastructure is critical single-point-of-failure that needs DDoS mitigation by design