Skip to content

The Mirai botnet: how IoT devices took down half the internet's DNS

· 18 min read
Copyright: MIT
ddos botnet history
The word Mirai in mono type over a black field with an orange underline and the line telnet :23, 62 default creds, 623 Gbps

On a Friday in October 2016, large parts of the US East Coast lost the internet. Not their power, not their cables, just the internet. Twitter would not load. Netflix spun. Reddit, Spotify, GitHub, PayPal, Airbnb all returned the same nothing. The links worked; the servers were up. What had broken sat one layer below all of that, in the part of the stack nobody thinks about until it stops answering: the Domain Name System. Specifically, the authoritative DNS run by a company called Dyn, which a swarm of hacked webcams and home routers was burying under junk queries.

The swarm had a name, Mirai, Japanese for “the future,” and it had been built by three young men who mostly wanted to win at Minecraft. That gap, between a record-setting attack on the internet’s naming layer and the motive behind it, is the whole story. This post traces it from the source. How Mirai actually spread, why a list of 62 default passwords was enough, what the Krebs and OVH attacks measured and how that compared to anything before, what really happened to Dyn on October 21, what the leaked source code on HackForums contained, who Anna-senpai turned out to be, and why a worm built by college students still shows up in record-breaking attacks a decade later. It pairs well with our history of botnets and the broader DNS amplification story; Mirai used neither amplification nor reflection, which is part of what made it notable.

August 2016: a worm made of cameras

Reports of Mirai appear as early as August 31, 2016, picked up first by the volunteer research group MalwareMustDie. The malware surfaced from a single bulletproof-hosting IP and did something old-fashioned and effective. It scanned the entire IPv4 internet looking for devices with telnet open, and when it found one, it tried to log in with factory-default passwords.

That is the entire trick. No memory-corruption exploit, no zero-day, no clever protocol abuse in the first version. Telnet is the unencrypted remote-shell protocol from 1969, long since retired from any machine with a security team. It survived in exactly one place: the firmware of cheap embedded devices, IP cameras and digital video recorders and home routers, where a vendor had shipped a hardcoded admin login and never thought about it again. A user who plugs in a security camera does not change its telnet password because the user does not know the camera has a telnet password.

The seven-month academic study of Mirai, “Understanding the Mirai Botnet,” published at USENIX Security 2017 by a group spanning Akamai, Cloudflare, Google, Georgia Tech, Michigan, and Illinois, reconstructed the propagation loop from the leaked code. A bot first entered a rapid scanning phase, sending TCP SYN probes to pseudo-random IPv4 addresses on telnet ports 23 and 2323, skipping a hardcoded blacklist of ranges. When a probe got a response, the bot moved to a brute-force login phase, trying 10 username and password pairs drawn at random from a built-in list of 62 credentials. On the first success it did not infect the device itself. It reported the working IP and credentials back to a hardcoded report server, and a separate loader program logged in afterward, fingerprinted the device’s CPU architecture, and pushed down the matching binary.

Bot scan :23 / :2323 Report server IP + creds Loader push binary New victim becomes a bot *Mirai split scanning from infection. The bot only reported a credential hit; a central loader did the actual install, then the fresh device started scanning too.*

That split design mattered. By keeping each bot’s job tiny, find a hit and phone it in, Mirai stayed small enough to run on a camera with a few megabytes of RAM. The cost of infection was centralised on the loader, which could fan out installs to thousands of pending victims in parallel. The result grew like a worm. The botnet hit nearly 65,000 devices in its first 20 hours and settled into a steady-state population of 200,000 to 300,000 infections, doubling every 76 minutes in the early hours.

Infection did not survive a reboot. Mirai ran from memory, deleted its downloaded binary, and renamed its own process to a random alphanumeric string to hide. Power-cycling a camera cleaned it. The problem was that a clean device with an unchanged password got reinfected within minutes, because the scanning swarm never stopped knocking. To keep a device clean you had to change the credential, and almost nobody did.

The 62 passwords

The credential list is the part everyone remembers, and for good reason. BASHLITE, the family Mirai grew out of, brute-forced devices with six generic usernames and 14 generic passwords. Mirai shipped 62 username and password pairs that mostly absorbed that older set and added entries tuned to specific consumer hardware. A few were the obvious ones: root/root, admin/admin, admin/password, root/123456. Others were device-specific factory defaults that meant nothing unless you knew the hardware, which is exactly why they worked. root/xc3511 and root/vizxv keyed into camera and DVR boards from particular Chinese white-label manufacturers whose firmware was rebranded and resold under dozens of names.

That last detail is the reason Mirai’s device population looked the way it did. The bots clustered hard into a few geographic regions, with Brazil, Colombia, and Vietnam alone accounting for 41.5 percent of infections, and into a handful of device models. Mirai did not infect “the internet of things” evenly. It infected whatever a small number of component vendors had shipped with the same baked-in login, which then surfaced under many brand names in the markets where those components sold cheapest. The devices were network-attached storage boxes, home routers, cameras, DVRs, printers, and TV receivers, but the underlying boards came from a short list of suppliers.

Mirai C2 attack commands, Sep 2016 - Feb 2017 (count) HTTP flood 2,736 UDP-PLAIN 2,542 UDP flood 2,440 ACK flood 2,173 SYN flood 1,935 GRE-IP 994 ACK-STOMP 830 VSE / DNS / GRE-ETH 809 / 417 / 318 *The ten attack types in Mirai's command set, by how often each was issued. Counts from the USENIX measurement of 15,194 commands. Amplification was built in but barely used, only 2.8 percent of commands relied on it.*

Two design choices in that first version say a lot about the author’s intent. Mirai actively killed competition. On infection it terminated any process bound to telnet or SSH and hunted down rival malware in memory, including older Mirai variants, the .anime worm, and Qbot, so it would not have to share the device’s tiny resources. And it shipped a blacklist of IP ranges it would never scan. The original blacklist covered roughly 340 million addresses and explicitly avoided General Electric, Hewlett-Packard, the US Postal Service, the Department of Defense, and the usual private and internal ranges. The DoD exclusion is the telling one. It was not about firepower. It was about not poking the one organisation most likely to come looking.

The attacks: Krebs, then OVH

The first attack that made people outside security pay attention landed on September 20 and peaked the next day. The target was Brian Krebs, an investigative journalist whose blog, KrebsOnSecurity, had spent years reporting on the booter-and-stresser economy, the DDoS-for-hire shops that sell attacks by the minute. The site had been hit 269 times in the four years to September 2016. The Mirai attack on September 21 measured 623 Gbps, about 35 times larger than the average prior attack on the site and the largest it had ever seen.

That number deserves context. The previous widely-cited record for a publicly disclosed target was the 2013 Spamhaus attack at roughly 300 Gbps, an event that, at the time, news outlets described as nearly breaking the internet. Mirai doubled it from a swarm of webcams. The forensics were unambiguous: of 12,847 attacking IPs that Akamai logged, 96.4 percent overlapped with the IPs the network telescope had seen scanning with Mirai’s fingerprint. Akamai had been protecting Krebs pro bono. The attack was large enough and sustained enough that the cost of absorbing it became untenable, and Krebs was dropped; Google’s Project Shield picked the site up afterward. A single annoyed botnet operator had knocked a journalist offline by making free DDoS protection too expensive to give away. If you want the mechanics of why volumetric floods are so hard to absorb at the edge, our piece on how CDNs absorb volumetric DDoS covers the scrubbing-and-anycast side.

Days later the same botnet hit the French hosting provider OVH and went past a terabit per second, the first publicly reported attack to cross that line. OVH’s founder put the peak in the region of 1 Tbps and above, sourced from on the order of 145,000 cameras and DVRs. Two record-breaking attacks inside two weeks, both from the same swarm, both volumetric floods of raw packets rather than the amplification tricks that dominated the era. Mirai did have amplification support compiled in, but its operators barely used it. Only 2.8 percent of the 15,194 attack commands the researchers logged relied on bandwidth amplification. The botnet was big enough that it did not need the multiplier.

September 30, 2016: Anna-senpai drops the source

Three weeks after Krebs, on September 30, a user calling themselves Anna-senpai posted the complete Mirai source code to HackForums, the same kind of forum where booter services advertise. The post opened with a line that has been quoted in every retelling since: “When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO.” The poster claimed to usually pull a maximum of around 380,000 bots from telnet alone, dropping to about 300,000 after the Krebs attack drew attention and ISPs began cleaning up.

Releasing source code is a classic move when you think the law is closing in. Once the code is public, a prosecutor can no longer point at a binary and say only you could have built this. The plausible-deniability theory turned out to be exactly right, but the immediate effect was worse than the original botnet. The leaked repository was complete and well-organised. It contained the bot itself written in C, the command-and-control server written in Go, the loader, the report listener, and an attack directory implementing ten distinct DDoS methods covering volumetric, TCP state-exhaustion, and application-layer floods. Anyone who could follow a build script could now run their own Mirai.

Aug 31 surfaces Sep 21 Krebs 623G Sep 30 source leak Oct 21 Dyn Nov 26 Deutsche Telekom Jan 18 author IDed *The compressed timeline. Six months from a worm surfacing to its author being publicly named, with three record-class attacks in between.*

Within weeks, dozens of variants appeared. Operators swapped the credential list, bolted on real exploits where brute force had been the only vector, changed the C2 protocol, and competed for the same pool of vulnerable devices. One branch added a router exploit through CWMP, the TR-069 customer-premises management protocol that runs over port 7547. In late November 2016 a variant trying to spread through that exploit knocked roughly 900,000 Deutsche Telekom routers offline, not because it infected them but because the buggy exploit attempt crashed the devices outright. The researchers also tracked variants that evolved away from the original blacklist, with at least one notable lineage removing the Department of Defense blocks so it could scan them too, and others adding domain-generation algorithms for C2 resilience.

October 21, 2016: Dyn, and the PlayStation theory

The Dyn attack is the one that put Mirai in newspapers, and it is the one most people get slightly wrong. Dyn ran managed authoritative DNS for a long list of major sites. Take down Dyn’s name servers and you do not take down Twitter or Netflix directly; you make them unresolvable, which from a user’s chair is the same thing. On October 21 a series of attacks disrupted Dyn’s resolution from 11:07 to 16:55 UTC, then again later in the day. Sites that depended on Dyn, Amazon, GitHub, Netflix, PayPal, Reddit, Twitter, and many others, went dark in waves across the US and Europe.

The traffic was SYN floods aimed at DNS port 53, with some ACK and GRE-IP attacks mixed in, the first volley short and the later ones sustained over one and five hours. The researchers logged 23 attack commands targeting Dyn infrastructure and found a 71 percent overlap between the roughly 107,000 IPs that hit Dyn and Mirai-fingerprinted scanners on their telescope. Mirai was clearly central. The imperfect overlap hints other hosts joined in, which is unsurprising once the source was public and many operators ran their own swarms.

Here is the part that reframes the whole event. Later attack commands that day did not target Dyn alone. They simultaneously targeted Dyn and PlayStation infrastructure, and the specific Dyn IPs under fire resolved PlayStation Network’s name servers. The same campaign interleaved hits on Xbox Live, Microsoft’s DNS, PlayStation, and Nuclear Fallout game-hosting servers, with the non-Dyn floods looking like Valve Steam attacks. The final command of the day was a ten-hour flood against a set of Dyn and PlayStation infrastructure. Read together, the most likely reading of October 21 is not a deliberate strike on the internet’s plumbing. It is someone trying to take down PlayStation Network and game servers, who happened to route through the DNS provider that PSN shared with half the consumer internet. The collateral was the headline.

That motive fits everything else about Mirai’s operators, which the criminal case would soon make explicit.

The authors: Minecraft, a protection racket, and the FBI

The people behind Mirai were three young men. Paras Jha of Fanwood, New Jersey; Josiah White of Washington, Pennsylvania; and Dalton Norman of Metairie, Louisiana, all in their late teens and early twenties. On December 8, 2017, Jha and White each pleaded guilty in the District of Alaska to conspiracy to violate the Computer Fraud and Abuse Act, specifically causing intentional damage to protected computers; Norman pleaded guilty to related charges. Court filings split the labour cleanly. White built the telnet scanner and the loader, Jha wrote the core C2 and the bot’s remote-control features, and Norman developed new exploits.

The motive was money, and the money was Minecraft. A popular Minecraft server can clear real revenue from a few thousand simultaneous players, and the way you hurt a competing server, or extort it, is to knock it offline at peak. Jha and White ran a company called ProTraf Solutions that sold DDoS mitigation, while also running the botnet that made the mitigation necessary. A protection racket with a Stripe integration. The Dyn-PlayStation pattern, the heavy targeting of Steam, Minecraft, and RuneScape servers, the booter-style command set, all of it points at gaming economics rather than ideology or espionage.

Jha left a longer trail. While enrolled at Rutgers, he repeatedly DDoSed the university’s own network under handles including exfocus, timing attacks to course-registration windows, and at one point publicly needling administrators to go buy DDoS protection, the same service his company sold. The lead FBI investigator, agent Elliott Peterson, established Alaska jurisdiction in part because Mirai had infected DVRs there. The case is unusual for how it ended. In September 2018 the three were each sentenced to five years of probation, 2,500 hours of community service, and $127,000 in restitution, no prison time, after the government described their cooperation as extraordinary. They had spent the better part of a year working with the FBI on other investigations, including helping to blunt attacks during the pre-holiday period and assisting with cases against other botnet operators. The people who built the most disruptive botnet of the decade became, in effect, consultants for the bureau that caught them.

There is a clean line from this case to other corners of the abuse economy. The booter model Mirai’s authors worked within is the same one our note on the economics of a scraping operation touches from the other side: cheap compute plus someone else’s resources, sold by the unit.

2017 to 2026: why Mirai never died

A botnet whose authors were arrested in early 2017 should be a closed chapter. Mirai is the opposite. Because the source went public in September 2016, Mirai stopped being a single botnet and became a template. Nine years on it is still the most common starting point for IoT DDoS malware, and the variants have only gotten more capable than the original.

The reason is structural. The original Mirai brute-forced 62 default passwords. Modern descendants keep the C2 architecture and the attack code but bolt on a rotating set of real CVEs against specific device models, which is a far better key than a password guess. The Aquabot line, tracked through 2025, exploits a 2024 command-injection flaw in Mitel office phones (CVE-2024-41710) to recruit them, and one Aquabot build added a function that reports back to its C2 whenever the infected device tries to kill the malware, an inversion of the detection game. Other 2025 activity recruited internet-exposed DVRs through CVE-2024-3721. Researchers tracking the family in 2025 counted well over a hundred distinct Mirai variant branches and a sharp rise in associated C2 infrastructure. The booters that rent these botnets now advertise openly on Telegram under rotating brand names.

The scale has moved too. The 623 Gbps that made Krebs a record in 2016 is now unremarkable. Cloudflare reported that attacks exceeding 1 Tbps jumped sharply through late 2024, and in early 2025 it mitigated a Mirai-variant attack measured at 5.6 Tbps, sourced from around 13,000 devices and lasting roughly 80 seconds. That ratio is the thing to sit with. Roughly the same device count Mirai used against OVH in 2016 now pushes several times the bandwidth, because the cameras and routers and the home connections they sit behind got fatter pipes while keeping the same bad passwords. The defensive side, anycast dispersion and scrubbing capacity at the major providers, has scaled to match, which is the only reason a 5.6 Tbps flood is a blog post rather than another internet outage. The rate-limiting and edge-absorption techniques that grew up partly in response to Mirai are now the load-bearing layer.

What did not scale is the fix at the source. The 2017 USENIX paper’s recommendations, vendors shipping unique per-device credentials, automatic updates, end-of-life support, were correct and have been only partly adopted. Some jurisdictions banned default passwords on consumer IoT outright, the UK’s PSTI regime among them. But the installed base from before those rules, and the long tail of vendors who ignore them, is enormous and reboots clean and reinfects in minutes, exactly as it did in 2016.

What Mirai actually proved

The lasting lesson of Mirai is not that IoT devices are insecure. Everyone already suspected that. It is that the bar to a record-setting attack on core internet infrastructure turned out to be embarrassingly low. No zero-day, no nation-state budget, no novel cryptography. A list of 62 passwords, a stateless scanner, and three students who were mostly annoyed about Minecraft. The same crude technique that built the original botnet still works today because the economic incentive to ship a secure $30 camera has never existed for the people manufacturing $30 cameras, and the cost of their negligence lands on whoever happens to share a DNS provider with Sony.

The DoD blacklist is the detail I keep returning to. Whoever wrote Mirai understood exactly which targets carried legal consequences and routed around them with a hardcoded list, then went ahead and knocked a journalist, a hosting giant, and a chunk of the consumer internet offline anyway. They had a precise mental model of the line they should not cross and a careless one of everything on the safe side of it. That asymmetry, real caution about getting caught paired with total indifference to collateral, is what made a college side-project capable of taking out half the internet’s DNS for an afternoon. The devices have not changed. The pipes got bigger.

Sources & further reading

Further reading