$300,000: Mirai DDoS Attack on Security Blog Hits Hard for Device Owners

CCTV cameras

The DDoS attack that knocked cybersecurity blog KrebsOnSecurity offline for multiple days could have cost owners of devices involved in the attack upwards of $300,000.

The Mirai botnet attack enslaved IoT devices including CCTV cameras, smart home systems, routers and more to trigger a massive DDoS attack in 2016. Operators of the botnet took advantage of poor security practices including the use of default factory passwords to traverse the internet and enslave unsecured devices to launch a substantial attack on KrebsonSecurity.

The renowned cybersecurity expert, Brian Krebs, saw his blog hit with a staggering 620 Gbps DDoS attack that caused a major problem for Akamai, a prominent firm that hosted the blog without charge. Eventually, Google’s Project Shield offered to secure the blog.

The attack was powered by 24,000 insecure IoT devices and lasted 77 hours. Still, the firepower was but a fraction of the overall arsenal wielded by Mirai operators.

Still, what has gone unreported is the cost of damages incurred by owners of the devices enslaved by Mirai. According to a study by researchers from the Berkeley School of Information at the University of California (UC), the KrebsonSecurity DDoS specifically cost devices owners an estimated $324,000.

Dubbed Project rIoT, the study estimated that an aggregated amount of the attack cost over $4,000 per hour in bandwidth, while device owners were hit for about $0.42 per hour in power based on the distribution of devices in low, medium and high-cost electricity zones.

“We infected several consumer IoT devices with the Mirai malware and measured how devices use electricity and bandwidth resources in non-infected and infected states,” UC researchers explained. “We observed only small increases in electricity consumption of infected devices but significant increases in bandwidth usage in infected devices when compared with non-infected devices operating nominally.”

“The attacker who wanted to clobber my site paid a few hundred dollars to rent a tiny portion of a much bigger Mirai crime machine,” Krebs added later. “That attack would likely have cost millions of dollars to mitigate. The consumers in possession of the IoT devices that did the attacking probably realized a few dollars in losses each, if that.”

Image credit: Pexels.