Failed Mirai botnet attack causes internet outage for 900,000 Germans

29 Nov 2016

Deutsche Telekom customers have had their internet access restored. Image: Imagine Photographer/Shutterstock

Though the damage was significant, the 900,000 Deutsche Telekom customers who saw internet outages over the weekend were just the tip of a potential iceberg.

At one stage, 4.5pc of Deutsche Telekom’s German customers were forced offline last weekend, in what has been credited as a foiled attempt to arm the Mirai botnet.

900,000 customers suffered internet outages starting on Sunday and continuing into Monday, before the numbers of those affected plummeted.

The outages have been tied to a botched attempt to turn a sizeable number of customers’ routers into a part of the Mirai botnet, according to Deutsche Telekom’s head of IT security, Thomas Thchersich.


“In the framework of the attack, it was attempted to turn the routers into a part of a botnet,” Thchersich said, adding to a worrying six weeks of Mirai activity around the world.

Last month, the Mirai botnet caused a major headache in the US, as millions of internet users lost access to a swathe of websites after an attack on Dyn.

This was the same botnet that silenced US infosec journalist Brian Krebs, of Krebs on Security, in a 620Gbps DDOS attack in recent weeks.

Mirai also took French hosting provider OVH offline, after enlisting some 145,000 IoT devices and hacking CCTV cameras to mount an attack.

Kaspersky Lab has taken a look at the Deutsche Telekom hack and also came to the conclusion that a Mirai attack was most likely.

As Krebs pointed out after his attack, the IoT revolution means that the world is flooded with all manner of vulnerable devices, using components that are easy for manufacturers to source.

The existence of Mirai and similar botnets suggests that hackers now have an on-off switch for the internet as we know it.

What is particularly frightening is that the attacks are being augmented and customised by copycat hackers.

According to security firm Flashpoint, the Mirai botnets used in the Dyn attack were “separate and distinct botnets” from those used to execute the Krebs attack.

“Anna_senpai, the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mira’s source code online. Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks,” it said.

Gordon Hunt was a journalist with Silicon Republic