1. A Single Piece of Code Took Down Half the Internet

On September 20, 2016, Krebs on Security — the blog of independent cybersecurity journalist Brian Krebs — suddenly went dark. It wasn't a server crash. It was a DDoS attack peaking at 623Gbps, one of the largest ever recorded at the time. Krebs' CDN provider, Akamai, held the line for several days before ultimately withdrawing its free DDoS protection. One of the world's most prominent cybercrime reporters was effectively wiped off the public internet for days.

Days later, OVH, one of Europe's largest hosting providers, was hit with an attack exceeding 1Tbps. OVH founder Octave Klaba confirmed on Twitter that the assault was generated by approximately 145,000 compromised IoT devices acting in concert.

On October 21, 2016, DNS provider Dyn) suffered the same fate. Because Dyn handled DNS resolution for a huge swath of major websites, the attack caused widespread outages across the US East Coast — Twitter, Netflix, Reddit, GitHub, Spotify, and many others went down simultaneously.

Behind all three attacks was the same name: Mirai — Japanese for "future" — a botnet program written by three college students barely out of their teens.

2. 64 Passwords, 600,000 Zombies

Mirai's inner workings were disturbingly simple.

At its core were two modules: a replication module and an attack module. The replication module operated with brute-force elegance — it randomly scanned the global IP address space for devices with open Telnet ports, then attempted login using a hardcoded list of just 64 default username/password pairs. These were factory-default credentials: admin/admin, root/root, user/user, and similar combinations that IoT device manufacturers shipped with their products.

It sounds absurdly primitive. Yet the result was staggering: with just 64 well-known default passwords, Mirai enslaved over 600,000 IoT devices at its peak. These included home routers, wireless cameras, digital video recorders (DVRs), and even air quality monitors. According to joint analysis by security researchers at Akamai, Cloudflare, Georgia Tech, and other institutions, Mirai doubled its network size every 76 minutes after first appearing on August 1, 2016 — infecting over 65,000 devices by the end of day one.

Once a device was compromised, the attack module took over. A central command-and-control (C&C) server dispatched instructions to all infected devices, designating targets. The compromised devices would then unleash massive volumes of junk traffic using HTTP floods, UDP floods, TCP floods, and other DDoS techniques — overwhelming targets with more traffic than they could handle.

3. Behind the Code: From Dorm Rooms to Federal Court

In 2017, US law enforcement tracked down the three young men behind Mirai: Paras Jha (21), Josiah White (20), and Dalton Norman (21). All three pleaded guilty to violating the Computer Fraud and Abuse Act.

Paras Jha was also found to have launched multiple DDoS attacks against his own university — Rutgers University — between November 2014 and September 2016, repeatedly knocking its central authentication servers offline and preventing students and faculty from submitting assignments and taking exams. In October 2018, a New Jersey district court sentenced Jha to six months of home confinement and ordered him to pay $8.6 million in restitution.

Jha and Norman were also charged with using malware to compromise over 100,000 US home routers between December 2016 and February 2017, conscripting them into a botnet that served as proxy servers for click fraud schemes to generate illicit advertising revenue.

But the moment that truly transformed Mirai from a "three-person tool" into a global threat was when Jha published Mirai's complete source code on a cybercrime forum in the fall of 2016. After the source leak, Mirai variants proliferated worldwide — anyone with basic programming skills could spin up their own IoT botnet. Numerous Mirai variants remain active in the wild to this day.

4. After Mirai: The Botnet Threat Never Went Away

Mirai was not the end. It was a turning point. It proved one thing beyond doubt: when billions of IoT devices sit on the internet with default passwords or known vulnerabilities, building a Tbps-scale attack army costs essentially nothing.

In Mirai's wake, more IoT botnets followed. FritzFrog exploited Log4Shell and PwnKit vulnerabilities for lateral movement and privilege escalation. P2PInfect adopted a peer-to-peer architecture to avoid single-point-of-failure takedowns. ShellBot used hexadecimal IP address encoding to evade detection. HinataBot claimed the ability to launch 3.3Tbps attacks.

In 2026, single DDoS attacks routinely exceed 5Tbps, while attack costs keep falling — renting a Tbps-scale attack on the black market now costs as little as a few hundred dollars. Mirai's source code release essentially lowered the barrier to building large-scale cyber weapons to hobbyist level. Any online business with a meaningful user base can become a target without warning.

What makes it worse is that IoT device shipments continue growing by billions per year, while the security update mechanisms for the vast majority of these devices remain dismal — either no auto-updates, users who never update manually, or manufacturers who discontinue security support within two years. This means the botnet "arsenal" is expanding faster than defenses can keep up.

5. DDoS Protection Should Not Be an After-the-Fact Add-On

Looking back at the Mirai story, one detail deserves particular attention: after Krebs on Security was hit with 623Gbps of attack traffic, his CDN provider Akamai pulled its free protection. One of the world's best-known security journalists was forced offline for days until Google Project Shield stepped in.

If a security journalist cannot protect his own online presence from an attack, what are ordinary businesses and developers supposed to do?

The answer should not be "wait until you're attacked, then scramble to buy protection." DDoS mitigation should work like running water or electricity — it should be there by default from the moment infrastructure powers on, without requiring customers to first assess whether they'll be targeted. Because in the post-Mirai world, any service exposed to the public internet can become a botnet target at any time.

This is the fatal flaw of the traditional "add-on" DDoS protection model: customers who have never been attacked typically don't proactively purchase protection, and by the time an attack arrives, the delay in manually spinning up scrubbing (usually minutes) is enough to cripple the business and drive users away.

6. Skyline Connect: Botnet Protection from Second One

Against Mirai and its successors, Skyline Connect's philosophy is straightforward: security is a default capability, not a premium add-on.

Every VPS and dedicated server comes with hardware-level DDoS protection enabled from the very first second — powered by an ASIC scrubbing engine co-developed with the NUS School of Computing. This engine is purpose-built to counter the attack patterns of Mirai and its variants:

1.2Tbps / 200 million PPS scrubbing capacity per device — even facing Mirai-era peak attack volumes of 1Tbps+, a single device handles the entire scrubbing workload with no need to reroute traffic to a remote scrubbing center.

Botnet and Raw UDP Flooding identified and dropped within 40ms — from the moment attack traffic reaches the device to the moment it's discarded, the entire process completes in milliseconds. Compared to the minutes-long startup delays of traditional scrubbing centers, customers won't even notice they're being attacked.

Scrubbing happens entirely in ASIC hardware, bypassing the CPU — during an attack, customer instances experience zero impact on CPU, memory, or bandwidth. This is especially critical for Mirai-style high-PPS attacks, where traditional software-based scrubbing solutions see the CPU itself become the bottleneck.

This protection is deployed across both the Singapore SG1 and Tokyo TY8 nodes, working alongside direct peering with NTT, KDDI, SoftBank, PCCW Global, Lumen, Telstra, and other Tier 1 / Tier 2 backbone carriers. Botnet attack traffic is absorbed as close to its source as possible, keeping the return path to origin completely clean.

The lesson of Mirai is clear: in a world where even cameras and routers can become weapons, DDoS protection is no longer optional. It must be part of the infrastructure — like a foundation, already in place before you even realize you need it. For full product specs and protection capabilities, visit the Skyline Connect products page.