One of the most common forms of cyber-attack, a Distributed Denial of Service (DDoS) brings down websites, services, networks, and internet services in general. According to VeriSign, over 50 million such attacks take place every year – and that number is growing.
But why would anyone bother? Well, it’s not just bored geeks on a power trip. Often, the perpetrators of DDoS attacks are politically motivated. Anonymous, for example, is notoriously keen on using the cyberattack tactic against its adversaries. However, the number of politically-motivated attacks pales in comparison to the number committed for financial gain.
DDoS and the Minecraft Entrepreneurs
Among the ways that attackers can cash in from DDoS is by charging for their ‘services’. A buyer can request a site be taken down, perhaps for revenge, and pay the attacker to do so. The most high profile DDoS attack of recent times, the Mirai botnet, was not, however, created for revenge, for political reasons, nor out of boredom. It was for Minecraft.
There exists a small population of what you might call “Minecraft entrepreneurs” who make money by hosting servers for which players actually pay to “rent” Minecraft land in. For those who are completely lost at this point, basically in Minecraft you have a pixelated world that begins as flat land, upon which you build your civilisation in blocks that are pretty much virtual Lego. A good world is, to avid players, worth paying for.
So, that’s a perfectly legal way to make money, and can be quite lucrative. Where it gets darker, and where Mirai comes in, is when another sub-industry emerges therein. The business of launching DDoS attacks against competitor servers, effectively slowing them to a frustratingly inept speed and thus wooing users away from those servers onto your own. That is how the Mirai attack started.
The same attacker, by the way, can then offer another service, DDoS mitigation, to protect or cure their victims (and other potential targets) of DDoS disruption… at a price. Interestingly, this was a service that the Mirai attackers were in the process of setting up a legitimate business in before they were caught doing the opposite.
How Does A DDoS Attack Work?
A DDoS attack works by infiltrating vulnerable systems, like a computer with no anti-virus, for example, or – in the case of Mirai – IoT devices that are not properly secured. The device is then turned into a ‘zombie’, directing untenable amounts of traffic to the target site or server. Until Mirai, a large DDoS attack usually weighed in at around 20 gigabits per second – enough to do significant damage. Wired describes Mirai as the ‘first thermonuclear bomb of the DDoS world’ – coming in at 1.1 terabits per second, leveraging the zombie power of nearly 150,000 infected devices.
What makes Mirai even more daunting is that it didn’t just target one particular site or server – it was able to target a huge range of IP addresses, enough to bring down the entire network of a large company.
Mirai’s Victim Count
First, Mirai brought down French telecoms company OVH. It then ground internet access across the entire eastern US to a halt as it targeted Dyn (a company responsible for a huge amount of the internet’s infrastructure), obliterating much access to sites such as Amazon, Netflix, Twitter and Spotify. Its next target was cybersecurity journalist, Brian Krebs, knocking out his site for 4 days with a 623 Gbps attack that caused Akamai, the DDoS mitigation service Krebs had been using for years, to drop his site. Defending against such a massive attack, Akamai said, had become far too costly.
The attack on Krebs demands a moment’s pause. As FBI Special Agent Elliott Peterson, an investigator on the Mirai case, put it: “A journalist being silenced because someone has figured out a tool powerful enough to silence him … is worrisome’. In this age, where news media is under threat by the US President himself, the ways such an attack might be used, by any corrupt government at all, against free press is, indeed, ‘worrisome’.
Still At Large
Between September 2016 and February 2017, over 15,194 Mirai DDoS attacks and variations thereupon took place. Even though the students behind Mirai have now been prosecuted (pleading guilty in Anchorage, Alaska this week), the threat of more Mirai and Mirai-esque attacks is still out there. This is, in part, due to the fact that one of the perpetrators posted the source code on Hack Forum, in an attempt to derail any evidence against him (after all, anyone could have posted that code). Competing DDoS groups adopted the code to create their own malicious botnets. The genie is out of the bottle, and who knows what sort of coding savant may use it as the basis for an even more powerful attack in future?
The Mirai attack was so big that investigators and journalists alike initially thought it was an attack by a nation state. The fact that it was a Minecraft money-making scheme that got out of hand makes it all the more worrying. What would have happened if these geeks had actually built the code to take down the internet outright? The Mirai attack makes it clear that this threat is more real than we might imagine.