Shortcut - A blog by

What is Mirai botnet and how did it smash the Internet?

By on .

On October 21, the U.S. saw a massive outage of Internet sites. Hackers launched three waves of attacks that took out the web operations of Internet powerhouses such as Amazon, Pinterest, Netflix and The New York Times.

Many people were left wondering how this could’ve this happened. Let’s take a look at who attacked what, how they did it, and what implications this could have for the future of the Web.


Who was it?

Two hacking collectives claimed responsibility for the attack: New World Hackers and Anonymous. The groups say they carried out the operation in retaliation for Ecuador cutting off Internet access for Julian Assange of WikiLeaks. However, experts aren’t confident it actually was those groups. With Mirai, the open-source tool used to launch the attack, it could have been any other hacker or group.


What broke?

The attack was on Dyn, a Domain Name Service (DNS) provider. You use a DNS provider whenever you point your browser to a URL like Think of DNS as a switchboard operator. The operator gets your request and finds the IP address of a server that holds the website you want. Then it and connects your computer to that server. DNS is important to the web, and the blackout showed us just how much depends on it.


How did it break?

The hackers used a technique called DDoS, which stands for “distributed denial of service.”. The “distributed” part means that the attack came from multiple computers in different locations.

In any Denial of Service attack, the attacker bombards a website’s server with lots of network requests. With too many requests, the server gets overloaded. It can’t respond to legitimate requests and the website becomes unreachable.

In the attack on Dyn, the botnet (collection of hacked computers used for the DDoS attack) comprised Internet-enabled devices such as remote cameras, baby monitors and printers. Mirai was the malware that infected them. Mirai’s creator specifically targeted the security weakness of Internet-of-Things (IoT) devices. A hacker shared the Mirai source code with a community of hackers, giving them a powerful open-source weapon.

When Mirai infects a device, the device continues to function normally in the household. But in the background, that device searches for and infects other vulnerable devices. These devices form a virtual army that a hacker can use to barrage online targets with traffic. A Computerworld article said an estimated 100,000 devices were involved in the attack, but the total number of infected devices could be half a million. The attack was likely the largest DDoS attack in history.


Now what?

The Mirai malware is still out there. But while many devices are now infected, not all of them are controlled by the same hacker. In reality, “Mirai botnet” is many botnets that run on the same malware. Security experts have seen smaller DDoS attempts, but it seems competition among hackers to take over devices has fragmented Mirai’s power. It’s unlikely that another big outage will happen from the same source any time soon.

But the event should spark caution for device manufacturers and consumers alike. The IoT devices in Mirai botnets were vulnerable because they used weak or default passwords. Manufacturers should require strong, unique passwords during device setup. Users should always change the default password when setting up a new Internet-connected device.