Anatomy of a Breach

Anatomy of a Breach: Dyn and the Mirai Botnet — When IoT Devices Took Down Half the Internet

> series: anatomy_of_a_breach —— part: 094 —— weapon: mirai_botnet —— devices: 100,000_iot —— casualties: twitter_netflix_reddit_spotify<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2016 14 min read
ddos mirai dyn iot botnet default-passwords dns internet-outage series
Breach #094

100,000 webcams and baby monitors. They took down Twitter, Netflix, and Reddit.

On 21 October 2016, three waves of DDoS attacks struck Dyn, a managed DNS provider whose infrastructure resolved domain names for hundreds of major websites. The attacks, peaking at over 1.2 Tbps (terabits per second) — four times the record-setting Spamhaus attack of 2013 — overwhelmed Dyn's DNS servers and caused widespread service disruptions across the eastern United States and Europe. Twitter, Netflix, Reddit, Spotify, GitHub, PayPal, Amazon, the BBC, and dozens of other major services were inaccessible for hours.

The weapon was the Mirai botnet — a network of approximately 100,000 compromised Internet of Things (IoT) devices, primarily IP cameras, digital video recorders (DVRs), and home routers manufactured by companies like Dahua and XiongMai. Mirai spread by scanning the internet for IoT devices with default factory credentials — trying a list of just 62 common username-password combinations (admin/admin, root/root, etc.). The devices, which had never had their default passwords changed by their owners, were enrolled into the botnet and used to generate the traffic that took down half the internet.

Default Passwords — The IoT Epidemic
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

62 username-password combinations. 100,000 compromised devices.

Mirai's infection mechanism was devastatingly simple: it scanned the internet for devices with open Telnet ports and attempted to log in using a hard-coded list of 62 factory-default credentials. Devices that accepted these credentials were immediately compromised and recruited into the botnet. The list included entries like admin/admin, root/root, root/12345, admin/password — the same default credentials that have appeared in this series since the News of the World voicemail PINs (2011).

IoT Devices as Weapons
Mirai demonstrated that insecure IoT devices — webcams, baby monitors, home routers — can be weaponised into DDoS tools powerful enough to disrupt the internet's core infrastructure. For organisations deploying IoT devices, default credential change is a baseline requirement that <a href="/cyber-essentials">Cyber Essentials</a> mandates.
DNS as a Single Point of Failure
The attack targeted DNS — the system that translates domain names into IP addresses. By overwhelming a single DNS provider, the attackers disrupted hundreds of services simultaneously. DNS resilience — including multi-provider DNS and DNS failover — is a critical infrastructure concern. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses DNS architecture and resilience.
1.2 Tbps — A New Record
The Mirai-powered attack against Dyn peaked at over 1.2 Tbps — quadrupling the previous DDoS record. This scale was achieved not through compromised servers but through IoT devices with minimal bandwidth individually but enormous aggregate capacity. For UK organisations, DDoS resilience planning must account for attacks measured in terabits.
62 Default Passwords — That Was Enough
Mirai needed only 62 username-password combinations to compromise 100,000 devices. The <a href="/blog/anatomy-of-a-breach-news-of-the-world">News of the World</a> showed what default PINs enable; Mirai showed it at internet scale. <a href="/cyber-essentials">Cyber Essentials</a> mandates that default credentials are changed — a control that would have prevented every Mirai infection.
Defence

IoT security and DDoS resilience are now existential.

The Mirai attack established that IoT device security is not just a consumer concern — it is an internet infrastructure concern. Insecure devices in homes and businesses become the weapons that take down services worldwide. For organisations, the defence is twofold: secure your own IoT devices (change defaults, segment IoT networks, monitor IoT traffic), and ensure your services are resilient to DDoS (multi-provider DNS, CDN-based mitigation, incident response planning).

Cyber Essentials mandates default credential change and device security. Our infrastructure testing assesses IoT device security and DDoS resilience. SOC in a Box monitors for IoT compromise indicators and DDoS attack precursors. And UK Cyber Defence provides incident response during active DDoS events and IoT compromise investigations.

IoT Security & DDoS Resilience

100,000 webcams took down Twitter and Netflix. How many IoT devices are on your network with default passwords?

<a href="/cyber-essentials">Cyber Essentials</a> mandates default password changes. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses IoT security and DDoS resilience. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for IoT compromise.

Commission an IoT Security Assessment Next: Tesco Bank
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 October 2024

Anatomy of a Breach: Internet Archive — 31 Million Accounts Breached at the Library of the Internet

Breach #190. In October 2024, the Internet Archive — the nonprofit organisation operating the Wayback Machine and one of the most important digital preservation projects in history — was breached, with approximately 31 million user accounts compromised. The attackers obtained a database containing usernames, email addresses, and bcrypt-hashed passwords. The breach was accompanied by a website defacement and concurrent DDoS attacks that kept the site offline for extended periods. The attack on a nonprofit dedicated to preserving human knowledge demonstrated that no organisation — regardless of its mission, its importance, or its nonprofit status — is safe from cyber attacks.

internet-archive wayback-machine
12 min read
Anatomy of a Breach 30 November 2019

Anatomy of a Breach: UK Labour Party — DDoS Attacks During a General Election Campaign

Breach #131. In November 2019, the UK Labour Party was hit by two DDoS attacks during the general election campaign — one large-scale and one smaller — targeting its digital platforms including the party's website and online campaign tools. The attacks, which were mitigated by Cloudflare, briefly disrupted Labour's online operations during one of the most contested election campaigns in recent British history. While no data was stolen, the attacks demonstrated that UK democratic processes are vulnerable to the same cyber disruption that had affected the US (DNC hack, 2016) and other democracies.

ddos labour-party
12 min read
Anatomy of a Breach 31 December 2016

Anatomy of a Breach: 2016 Year in Review — The Year of Billions, Botnets, and Election Interference

Breach #096 and the 2016 finale. The year Yahoo disclosed not one but two mega-breaches (500 million in September, then 1 BILLION in December — later revised to all 3 billion accounts), Adult Friend Finder lost 412 million accounts, the Mirai botnet used IoT devices to take down half the internet, Russia hacked the DNC to influence a presidential election, the Shadow Brokers stole the NSA's cyber weapons, the Bangladesh Bank lost $81 million through SWIFT, and a hospital paid Bitcoin ransom to get its systems back. The year the scale of cyber threats broke through every previous ceiling.

data-breach year-in-review
14 min read
All Posts Get in Touch