The Internet of Vulnerable Things: Mirai
Mirai: The Internet of Vulnerable Things
On the morning of October 21, 2016, Americans trying to check Twitter, load Netflix, or buy something on Amazon found the same thing: the services weren’t there. Not slow. Not partially degraded.
Gone.
The disruption spread from New England outward, then up and down the eastern seaboard, then globally. GitHub, Reddit, PayPal, Spotify, Airbnb, CNN, the New York Times — all unreachable. A single point of internet infrastructure had been struck with a tidal wave of traffic it was never designed to survive.
The target was Dyn — a small company in Manchester, New Hampshire that managed critical DNS routing infrastructure for much of the modern internet. When Dyn went down, every website relying on its name resolution services vanished with it.
The weapon was Mirai — a botnet composed not of hacked computers or compromised servers, but of household objects. The security camera above a shop door. The DVR recording late-night television. The home router blinking its lights in a suburban hallway. Hundreds of thousands of them, conscripted by a piece of malware and aimed like a fire hose at whatever target their controllers chose.
The three people who built it were college students. One of them was eighteen years old.
Threat Actor Profile: Paras Jha, Josiah White & Dalton Norman
Real Names: Paras Jha (handles: Pootle / ogmigo), Josiah White (handle: lightaidra), Dalton Norman (handle: dpkg)
Origin: United States — New Jersey, Pennsylvania, Louisiana
Status: All three pled guilty in December 2017 to charges under the Computer Fraud and Abuse Act related to the Mirai botnet operation. None served prison time; sentences involved substantial probation, community service fines, and extensive cooperation with FBI investigations into other criminal hacking operations. Jha separately pled guilty to CFAA violations related to DDoS attacks against Rutgers University, where he was enrolled as a student.
Notorious Operations:
- Krebs on Security DDoS (September 20, 2016): The first major Mirai deployment — a 620 Gbps flood against the security news site run by journalist Brian Krebs. At the time the largest recorded DDoS attack in history. Krebs had published reporting on vDOS, a DDoS-for-hire service, which appears to have triggered the retaliatory strike. Akamai absorbed the traffic until the cost became commercially untenable and removed Krebs from its network.
- OVH DDoS (September 2016): French cloud hosting provider OVH was struck with a record 1.2 Tbps attack — the largest volumetric DDoS ever recorded at that point. OVH’s CEO publicly confirmed the scale in real time on Twitter.
- Dyn DNS Attack (October 21, 2016): Three waves of UDP and TCP flooding paralyzed Dyn’s managed DNS infrastructure, taking major websites offline across North America and Europe for most of the business day.
- Deutsche Telekom Disruption (November 2016): A Mirai variant — deployed by a separate operator, not the original authors — targeted TR-069 router management vulnerabilities and disrupted service for approximately 900,000 Deutsche Telekom customers in Germany.
The Premise: Your Security Camera Is Not Secure
To understand Mirai, you have to understand a structural absurdity that the internet of connected devices had baked in from its inception.
By 2016, hundreds of millions of devices were connected to the internet: IP cameras, digital video recorders, home routers, printers, “smart” appliances. Their manufacturers had shipped them with default usernames and passwords printed on stickers on the bottom of the box — admin/admin, root/1234, guest/guest. Sixty-one combinations of this kind covered the authentication credentials of an astonishing fraction of deployed devices.
These devices ran stripped-down Linux operating systems, just capable enough to handle their functions. They were almost never updated. Their owners — home users, small businesses — had no reason to think about them. The camera in the corner worked. The DVR recorded. The router blinked its lights. That was all they needed to know.
To a botnet operator, they were invitation cards with the address already filled in.
The Code: How Mirai Worked
Mirai’s architecture was deceptively simple, which was the root of its power.
Phase 1: Scanning. An infected device began continuously probing the full public IPv4 address space — approximately 4.3 billion addresses — targeting port 23 (Telnet) and port 2323 (an alternate Telnet port used by certain device models) for open connections. The scan was statistical and relentless: Mirai generated random IP addresses and fired probes at high speed, relying on scale to surface targets.
Phase 2: Credential Testing. When a responsive Telnet service was found, Mirai ran through its list of 61 default username-and-password pairs — the credentials factory-programmed into cameras, DVRs, and routers by manufacturers. If any combination succeeded, the device was compromised. The whole process took seconds.
Phase 3: Reporting and Deployment. The newly compromised device reported itself to a central loader — a server architecturally separate from the command-and-control infrastructure — which pushed a copy of the Mirai binary compiled for the device’s specific CPU architecture. Mirai supported multiple architectures (MIPS, ARM, x86, SPARC, PowerPC, SuperH, Motorola 68k) to maximize compatibility across the heterogeneous ecosystem of embedded devices.
Phase 4: Enlisting. The infected device registered with Mirai’s C2 server and awaited orders. In the meantime, it continued scanning — propagating the botnet further. Mirai also blocked competitors: after infection, it closed common exploitation ports to prevent rival botnets from claiming the same device.
Phase 5: Attack. When the operator issued a command, hundreds of thousands of devices simultaneously flooded the target with traffic. Mirai supported multiple attack vectors: UDP floods, TCP SYN floods, DNS water torture attacks, ACK floods, and GRE IP floods. For the Dyn attack, the primary method was DNS water torture — sending massive volumes of randomized DNS lookup requests designed to exhaust Dyn’s resolver infrastructure rather than simply saturate its bandwidth.
The devices couldn’t be permanently cleaned. Rebooting cleared the infection — but within minutes of reconnecting to the internet, devices with unchanged default credentials would be reinfected by the scanning swarm already saturating the network.
The Origin: Minecraft
The most surreal detail of the Mirai story is why it was built.
Paras Jha was not a state-sponsored actor. He was not a professional cybercriminal. He was, initially, a Minecraft server operator.
The Minecraft hosting business in 2016 was ferociously competitive. Operators routinely used DDoS attacks against each other’s servers to drive players to their own platforms. Jha built Mirai to knock competing Minecraft hosts offline. White and Norman — both with deep expertise in router firmware and embedded systems — collaborated on refining the botnet architecture.
The business logic was crude and entirely sordid: knock out competitors during peak hours, redirect their player bases, collect hosting revenue. Mirai was also offered to other operators as a DDoS-for-hire service.
The attack on Brian Krebs appears to have been retaliation — Krebs had published a damaging exposé of vDOS, a competing DDoS service, whose operators were connected to the same underground community in which Jha operated.
The Dyn attack was conducted by a different operator who had rented access to the Mirai botnet — not Jha himself. By October 2016, Jha had released Mirai’s source code publicly under the handle “Anna-senpai” on hackforums.net — a decision apparently intended to diffuse attribution by ensuring that everyone had the code. Instead, it turned Mirai into the foundation for an entire generation of IoT malware.
The Discovery and Aftermath
The FBI traced Mirai back to Jha through his own operational security failures: posts on hackforums.net under the “Anna-senpai” handle, combined with server infrastructure records, payment history, and code analysis conducted by investigative journalist Brian Krebs — ironically, the same researcher whose site had been among Mirai’s first targets.
All three were identified and agreed to cooperate extensively, providing the FBI with intelligence on other cybercriminals. The indictment documents describe their assistance as “substantial” in investigations of hacking and network attacks by parties beyond themselves.
Beyond the three original authors, dozens of operators who deployed Mirai variants were subsequently investigated and prosecuted in the US, UK, Germany, and Netherlands.
The source code release was a catastrophe for the internet. Within weeks of Mirai appearing on GitHub, security researchers documented more than a dozen variants — modified versions targeting different device sets, using altered credential lists, or deploying different attack modules. Some were linked to criminal operations. Some carried fingerprints suggesting interest from nation-state actors, including variants with characteristics consistent with North Korean and Russian government involvement.
Mirai’s lasting legacy was not the Dyn attack itself. It was the proof of concept. It demonstrated, at 1.2 Tbps of sustained traffic, that the global population of poorly secured embedded devices constituted a weapons stockpile waiting to be unlocked. Subsequent IoT botnets — Hajime, IoTroop/Reaper, Satori, VPNFilter — all built directly on the architecture and lessons of Mirai.
The devices themselves — cameras, DVRs, and routers with factory-default credentials — remained vulnerable for years after the attack. Many still are.
Attack Chain: Mirai Botnet — The Dyn DDoS
graph TD
A["🎮 Minecraft Hosting Competition\nParas Jha + Josiah White + Dalton Norman\nNew Jersey / Pennsylvania / Louisiana"] --> B["Build Mirai Botnet\nto DDoS Competing\nMinecraft Servers"]
B --> C["Mirai Architecture:\nScanner + Loader + C2\nSeparate Infrastructure Layers"]
C --> D["Mass Internet Scan\nPort 23 / 2323 — Telnet\nAll 4.3B IPv4 Addresses\nContinuous Random Probing"]
D --> E["61 Default Credential Pairs Tested\nadmin/admin · root/1234\nguest/guest · (etc.)"]
E --> F{"Device\nVulnerable?"}
F -->|"No — patched / non-default creds"| G["Skip — Next IP"]
F -->|"Yes — default creds accepted"| H["Device Compromised\nIP Camera / DVR / Home Router\n(Embedded Linux)"]
H --> I["Report to Loader\nDeploy Mirai Binary\nfor Device's CPU Architecture\n(MIPS / ARM / x86 / SPARC…)"]
I --> J["Register with C2 Server\nAwaiting Attack Orders"]
J --> K["Continue Scanning\nPropagate Botnet Further\nBlock Competitor Malware on Device"]
K --> L["Botnet Grows\nPeak: ~600,000 Enslaved Devices"]
L --> M["September 20, 2016\nKrebs on Security DDoS\n620 Gbps — Record at Time\n(Retaliation for vDOS Reporting)"]
L --> N["September 2016\nOVH Attack\n1.2 Tbps — New World Record"]
L --> O["Source Code Released\nOctober 2016\n'Anna-senpai' on Hackforums\n(Attribution Diffusion Attempt)"]
O --> P["Mirai Rented to\nThird-Party Operator"]
P --> Q["October 21, 2016\nDyn DNS Targeted\nThree Sequential Attack Waves\nDNS Water Torture + UDP Flood"]
Q --> R["🔴 Dyn Infrastructure\nExhausted Under 1+ Tbps\nDNS Resolvers Fail"]
R --> S["Twitter · Netflix · GitHub\nReddit · Spotify · CNN\nAmazon · NYT — All Offline\n~11 Hours of Disruption"]
O --> T["Global Proliferation\n12+ Mirai Variants Within Weeks\nNation-State + Criminal Adoption"]
T --> U["Deutsche Telekom\n~900,000 Routers Disrupted\nNovember 2016"]
T --> V["Next-Gen IoT Botnets:\nHajime · Reaper · Satori\nVPNFilter — All Derived from Mirai"]
S --> W["FBI Investigation\nHandles + Infrastructure\nPayment Records Traced\n(Krebs Investigative Reporting)"]
W --> X["Jha / White / Norman\nIdentified + Arrested\nDecember 2017 — Guilty Pleas"]
X --> Y["Sentences: Probation +\nCommunity Service\nFBI Cooperation — No Prison Time"]