Deutsche Telekom outages – Impact of Mirai variant


Mirai serves as the basis of an ongoing DDoS-for-hire 'booter'/'stresser' service which allows attackers to launch DDoS attacks

Mirai serves as the basis of an ongoing DDoS-for-hire ‘booter’/’stresser’ service which allows attackers to launch DDoS attack

Anyone who has ever read anything on cyber security would know that this isn’t the first time that Mirai DDoS botnet has caused damage to an organization. Plenty of news outlets all over the internet have consistently tracked down stories in which Mirai DDoS botnet attacks have affected numerous companies and online business along with key internet infrastructures.

Therefore, it should be no surprise that Mirai and all its related DDoS attacks are back in the thick of things as far as headlines are concerned.

Just a few days ago, Mirai caused a significant amount of trouble for a telecom company in Germany by the name of Deutsche Telekom. According to reports published in the media, this Mirai DDoS botnet attack affected around 1 in every 20 users who had subscribed to Deutsche Telekom.

Imagine the actual number of affected because of the Mirai DDoS attack if we assume that Deutsche Telekom had, say, 100,000 users. That would mean around 50,000 users were affected by Mirai DDoS botnet.

But guess what, that isn’t even half the story. Let’s dig into it a little more.

In order to really understand what a Mirai DDoS attack is and what it does and how it affects its victims, we need to first understand a few terms that are relevant to the topic at hand. Think of it as the minimum amount of terminology that you need to know in order to follow news that is related to Mirai and related DDoS attacks.

A DDoS attack stands for Distributed Denial of Service Attack. In a DDoS attack, hackers along with other cybercriminals usually manage to control thousands of devices, which are connected to the internet, and then use those devices to send superfluous and rather useless internet traffic to the victim’s server.

And what happens when thousands of machines send artificial requests to a victim’s servers? Well, it bogs the server down to a halt.

What’s A Botnet Then?

Another term you need to know in order to understand Mirari based DDoS attacks is a botnet. A botnet is, as the term might already indicate, is a network that is made up of robots.

By robots, we don’t mean those robots in Hollywood movies that go by the name of Terminators and what not. A robot network, here, simply means a vast collection of devices that are connected to the internet and are infected with a malware or a virus.

So what kind of devices are we talking about here?

We’re talking about any and every device that is connected to the internet. You may think of these devices such as a laptop, important servers, smartphones, internet sources, HD webcams and any other device that can connect to the internet and can run programs on it.

When a device can connect to the internet and has the ability to run programs on it, then that usually translates to the fact that it can send data across a given network.

That network in the case of a Mirai DDoS attack is the internet.

During a DDoS attack, each robot in the given network tries to connect to the specified server which is being controlled and managed by either a hacker or another cyber criminal. The robot carries out this action because it wants to fetch further instructions on what to do in order to disrupt the network.

The robot network tries to contact the HQ being controlled by cyber criminals every few minutes, but more so often every few seconds.

As far as the instructions go, they can vary from sending spam messages and other types of spam media content to a given list of addresses or maybe take pictures of an environment through the use of a webcam installed on the victim’s machine. The robot can also upload information to the server that is being controlled by the cybercriminal.

Moreover, the robot network can also be instructed to blast the infected entity’s website that with traffic that is usually called as denial-of-service internet traffic.

Internet Of Things And Zombies

No, we’re not talking about any movies here (yet). What we’re talking about is another type of bot or bots that are termed as zombies in the industry. These type of bots are recent phenomena in the industry.

Mirai - an IOT DDoS botnet analysis

Mirai – an IOT DDoS botnet analysis


They are called zombies for a lot of reasons but we won’t discuss them here. What we will discuss here is what they do.

Zombies, a type of bots, are able to run on your regular computer machines. These computer machines, until very recently, only included the likes of a desktop computer or a laptop that was present in your office or home.

The latest Mirai botnets are much more resourceful. Mirai botnet is also able to run and hence infect, on Internet of Things (IoT) devices. These are relatively new devices in the sense that before they weren’t programmed to connect to the internet and hence get infected by hackers and other cyber criminals.

Some of the most common Internet of Things devices include,

  • Modern printers
  • Webcams
  • Internet routers of all sorts

Not a list you imagined right?

Traditionally devices such as printers, webcams and routers aren’t thought of devices that could allow cyber criminals access to sensitive information. But that thinking must change because this is the 21st century and hackers along with other cyber criminals have learned neat new tricks to infect devices and cause havoc on a much larger scale than before.

Until now cybercriminals didn’t specifically target devices such as IoT devices but now they are actively using these seemingly dormant devices to attack and then hurt people in a variety of ways.

Besides, cyber criminals can reap huge benefits from infecting Internet of Things devices for the purposes of launching massive DDoS attacks on key internet infrastructure especially when not many security companies and organization are paying appropriate attention to this aspect of security.

DDoS attacks purported from IoT devices work really well, for cyber criminals that is, and there are lots of reasons for that. Some of those reasons are,

  • Most Internet of Things devices are not secured properly. Devices that are being hooked up to the internet and are being labeled as IoT devices are relatively new to the market and hence security agencies are mostly at a loss on how to secure these new devices. These devices usually ship straight to the customer from the manufacturer of the device. Most of these shipped IoT devices are full of security holes and hence cyber criminals can easily infect these IoT devices with minimal of effort.
  • Devices that are now labeled as IoT (Internet of Things) devices have become potent enough to basically disrupt a given home network connection by flooding it with outbound links. These, in turn, flood the home network connection with network traffic that only consumes resources and does little to no work, in other words, the network traffic is redundant for all practical purposes.
    It doesn’t really matter if these IoT devices don’t even possess half the power of an average laptop. Hackers and other cybercriminals know full well on how to leverage the slightest bit of computing power in their favor and infect any given network connection.
  • Since most IoT devices are configured to connect to the internet automatically, it makes it, even more, easier for hackers and other cybercriminals to infect a given network connection.
    Most IoT devices connect to the local Wi-Fi connection right out of the box. In order to achieve that, each of these devices has to ship with a default configuration setting. Hackers along with other cybercriminals know this fact too and consequently, IoT devices become inherently insecure. If someone doesn’t change these default configuration settings for each and every IoT device that is connected to a given network then the hacker can make use of this security hole and infect the network connection without much effort.

How is Mirai Different From The Rest?

Mirai DDoS attacks are a different beast altogether. In other words, they have changed the rules of the game as far as cyber criminals and security agencies are concerned.

By now you should already know that Mirai can use IoT devices and turn them into a type of zombie bot in order to launch zombie bot attacks. What you may not know is that it can not only utilize existing desktop machines and laptops but can also call upon a new feature that can further increase the damage caused by the Mirai DDoS attack.

This new feature is known as “go out looking for new zombies” feature. Not the most conventional of names but again, we’re not talking about an average cyber threat either.

What’s more, you might have also heard about another cyber attack that was carried out against a well-known cybersecurity journalist by the name of Brian Krebs. The cyber attack gained significant media attention for the obvious reason that it was carried out against a known personality in the industry.

The interesting aspect of the story was that the source code that ran the Mirai malware was made public by related authorities so that anyone with enough knowledge and experience, and time too, could try it out himself/herself and run a botnet of his/her own.

People who run these type of Mirai malware botnets are known as bot herders and botmasters.

To put it in simpler terms, the Mirai malware attack has now become advanced enough that it now has two parts.

Mirai serves as the basis of an ongoing DDoS-for-hire 'booter'/'stresser' service which allows attackers to launch DDoS attacks.

Mirai serves as the basis of an ongoing DDoS-for-hire ‘booter’/’stresser’ service which allows attackers to launch DDoS attacks.


One part is the ‘attack now’ part where the Mirai malware bots are pre-configured to focus and send traffic, sucked from an infected IoT or traditional device, to a victim’s server which is rendered defenseless for the reasons mentioned above.

After that, the second part comes into play. This is the pat where the Mirai malware makes use of new advanced features which make it even more potent against key internet infrastructure. The second pat is the “go looking” part. It instructs the malware to basically spread out from the point of attack and direct traffic in the outward direction.

That is, traffic is sent from the infected device out into the open in order to hunt down other IoT devices, which as mentioned before as inherently insecure and defenseless because of lack of attention on part of cybersecurity firms and organizations, that may be present nearby.

You can already guess how does that single action increase the effectiveness of any given Mirai malware attack.

But just for clarity’s sake, the second “go looking” feature basically allows a hacker or a cybercriminals who has control of a Mirai botnet to not only use that specific botnet in order to carry out massive attacks, but also recruit additional (and insecure) IoT devices which might exist in the vicinity of the victimized server.

More specifically, a cybercriminals, because of the new feature, can make use of other dormant IoT devices lying around in the vicinity of the victim’s server to join in and help out in the original Mirai attack and potentially, become partners in a given future cyber attack.

The Problem With Deutsche Telekom

If you want to understand the situation with Deutsche Telekom, then know this: a hacker’s job of exploring devices that might be vulnerable is made easier if the IoT device is unable to comply or resist any attack attempts and instead crashes or misbehaves.

If the IoT device crashes then it effectively means that is has DDoSed the owner of that specific IoT device.

If that happens to a home router, then the owner of that router would be cut off from the internet until the problem is fixed. The router will be unable to allow traffic into the network or send it out. The least that we should expect is the home router not being able to reconnect to the internet and requiring a restart to become functional again.

And of course, it can crash again even after a restart because the hacker will probe the device again and then infect it, again, and hence the cycle of crash, offline, reboot and reconnect would continue indefinitely.

Some expert in the industry believe that this is exactly what happened to so many customers who had subscribed to Deutsche Telekom in Germany. All of the Mirai attack and its disruption happened during a single weekend.

According to official sources, 900,000 home routers out of 20 million that were being used by the company’s customers were found to be susceptible to going offline (in other words locking up) when a hacker probed the device with the help of a new Mirai botnet variant.

As indicated earlier in the article as well, the fact that most people thought that devices such as home routers could not be infected was precisely the reason why hackers used these devices to infect them.

As of now, we know that more than four percent of the total Deutsche Telekom customer base was forced to go offline and then blocked from connecting to the internet.





Leave a Reply