The Mirai DDoS botnet: Brian Krebs claims to know who wrote it

Late last year, we wrote about a DDoS attack on well-known investigative cybercrime journalist Brian Krebs.

DDoS, sadly, has become a well-known word in its own right these days (in case you are wondering, it’s pronounced “dee-doss”), a short way of saying distributed denial of service.

That’s where thousands of computers, or perhaps even millions of them, gang up on an online service they don’t like and all deliberately start using it at the same time.

A DDoS is, by definition, a cyberattack, even if the network traffic it creates would be unexceptionable in everyday life, such as simply browsing to the main page on someone’s website.

Krebs’s website was DDoSed (yes, it’s a verb as well as a noun and an adjective) with more than 600 Gbit/sec of time-wasting traffic produced by a botnet, or zombie network, of computers infected with malware called Mirai.

The Mirai botnet isn’t made up of infected laptops, desktops and servers, but of a vast array of low-powered internet devices – the “things” that make up the Internet of Things (IoT) – such as home routers and webcams.

Unfortunately, when it comes to generating bogus network traffic, a $10 router or a $15 webcam is more than powerful enough to fill up the average home network all by itself, where there’s typically anywhere from 1 Mbit/sec to 10 Mbit/sec of upstream bandwidth available.

Even more unfortunately, many IoT devices are designed, built and delivered with scant regard for security, and are installed without much care, often with well-known default passwords unchanged, and with access left open to anyone who cares to come knocking.

Crassly put, IoT devices that cost 5% as much as your laptop tend to get 5% as much security love-and-care, or even less, although they can do 100% as much damage in a DDoS attack.

(If you think it through, the traffic generated by your laptop goes through your router anyway, so your laptop can’t fill your network connection any fuller than your router can.)

Insecure IoT devices are therefore widely abused by cybercriminals who make a living out of taking them over and charging other crooks to use them to knock people offline.

Why DDoS?

There are many reasons for mounting a DDos attack, from knocking a competitor offline to harm their business, through extorting money not to repeat the process, to retribution and payback, which seems to be what motivated the attack on Krebs.

But who was behind the Krebs attack?

How do you trace the source of an attack that came from network devices located all around the globe?

Well, who better to try to find out than Brian Krebs himself…

…and that’s exactly what he thinks he’s done, in what he describes like this:

[E]asily the longest story I’ve ever written on [my] blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken months to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars that preceded it.

We enjoyed reading it for the very reasons Krebs gives above, but also because it’s a reminder of the tough job that law enforcement faces, and of why we should congratulate cybercrime investigators when they achieve real results:

If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous.

In the words of the selfsame online era, “True dat.”