In the fall of 2016, as the race for the U.S. presidency was entering its final stages, cybersecurity researchers began to grow alarmed at the presence of a powerful new botnet on the internet.
The scale of its attacks were unprecedented. In two separate attacks, it easily overwhelmed a French internet service provider and a critical domain name server. Named Mirai, it had infectedhundreds of thousands of so-called “Internet of Things” devices like security cameras and wireless routers and used them to take down these and other servers on the internet. One leading expert thought a nation-state may have been its creator.
Instead, Mirai was the work of three friends in their early 20s looking to gain an advantage in the surprisingly lucrative and cutthroat business of running servers that hostMinecraft games, in which players build and explore a world of blocky 3D pixels.
Paras Jha, Josiah White, and Dalton Norman pleaded guilty on December 8 in federal court to writing the code that powered the massive botnet, according to documents unsealed yesterday. Jha has also pleaded guilty to another series of distributed denial of service (DDoS) attacks against Rutgers University servers, where he was a student.
At their peak, Mirai attacks set records. To put it in perspective, just months before Mirai launched, researchers had grown concerned with another botnet that could direct 50 gigabits per second of malicious traffic at its targets. Mirai blew past that, delivering over 1.1 terabits per second.
DDoS attacks were first performed in 2000, and since then, they’ve become commonplace. Entire companies exist to deflect such attacks, and many are adept at coping with extremely large threats. But Mirai was unprecedented. Here’s Garrett M. Graff, reporting for Wired:
Normally, companies fight a DDoS attack by filtering incoming web traffic or increasing their bandwidth, but at the scale Mirai operated, nearly all traditional DDoS mitigation techniques collapsed, in part because the tidal wave of nefarious traffic would crash so many sites and servers en route to its main target. “DDOS at a certain scale poses an existential threat to the internet,” [FBI special agent Elliot] Peterson says. “Mirai was the first botnet I’ve seen that hit that existential level.”
Jha and his conspirators had apparently built Mirai to bring down competitors’ Minecraft servers, hoping either to entice people to use their own server or to subscribe to the DDoS mitigation service that Jha had started. Later, the team used their botnet to run a click-fraud scam, where compromised devices would pretend to be humans clicking on internet ads.
While Jha, White, and Norman are no longer running the botnet, they did release its source code in September 2016. Other hackers have picked up the thread, tweaking the code for their own purposes. Mirai lives on.