When the three U.S. hackers, Paras Jha, Josiah White and Dalton Norman, pled guilty to creating the Mirai botnet last year, it became apparent from a Wired investigation that the three had created the botnet in the first place to create a competitive advantage on Minecraft. It was only after they realized the power and scale of the botnet they had created, they went bigger.
“They didn’t realize the power they were unleashing,” FBI supervisory special agent Bill Walton told Wired. “This was the Manhattan Project.”
The $27 game Minecraft is hugely popular averaging 55 million players a month worldwide, many of whom are children and young people. Users construct 3D worlds by “mining” blocks. In order to play multi-player, users have to sign up to a Minecraft server, which often has tens of thousands of users who pay to rent “space” inside the game or buy in-game tools. The servers are an integral part of the experience of Minecraft as each host has the ability to set different rules and install different plug-ins, which vary the user experience.
The FBI investigators looking into Mirai found that many of the botnet’s assaults had targeted gaming servers, in particular Minecraft. They then discovered that big money was being made by people hosting Minecraft servers, sometimes up to $100,000 a month in peak times. This commercial success had fostered an environment of DDoS attacks being launched on competitor servers, different server hosts aiming to gain new players frustrated at the slow connection speeds of the DDoS’ed servers.
The investigators discovered the YouTube tutorials geared specifically at teaching how to DDoS Minecraft, and free tools to do so on Github. Doug Klein, another FBI investigator on the case and former UNIX systems administrator, told Wired the digital arms race in DDoS is inexorably tied to Minecraft.
“We see so many attacks on Minecraft. I’d be more surprised sometimes if I didn’t see a Minecraft connection in a DDoS case,” Klein told Wired. “You look at the servers—those guys are making huge money, so it’s in my benefit to knock your server offline and steal your customers. The vast majority of these Minecraft servers are being run by kids—you don’t necessarily have the astute business judgment in the quote-unquote ‘executives’ running these servers.”
Mirai’s creators had the goal of knocking out rival servers, but also ironically intended to make money by offering protection against DDoS attacks. The trio had launched their own DDoS mitigation company and the crushing attack on French web hosting firm OVH was because it too hosted Minecraft DDoS mitigation services (the VAC, one of the industry’s top Minecraft DDoS protection tools), and they wanted to knock out their competitor. They also crucially wanted to undermine the protection it offered critical Minecraft servers.
“They just got greedy—they thought, ‘If we can knock off our competitors, we can corner the market on both servers and mitigation,’” Walton says.
The attack on OVH was the largest ever seen on the Internet as multiple attacks exceeding 100 Gbps simultaneously concurring at 1 Tbps DDoS attack. One of the attacks alone reached 799 Gbps.
Finding the connection to Minecraft and seeing it play out during the OVH attack at such a large scale, helped the FBI investigators narrow their focus. They began to find connections to Minecraft all over Mirai. Just after the OVH attack, the creators used Mirai to target Proxypipe.com, a San Francisco-based company that specializes in protecting Minecraft servers from DDoS attacks.
“Mirai was originally developed to help them corner the Minecraft market, but then they realized what a powerful tool they built,” Walton says. “Then it just became a challenge for them to make it as large as possible.”
In order to deflect suspicions if caught, Jha released the malware source code to the website Hack Forum, along with the default credentials for 46 compromised IoT devices. Since then, variant attacks of Mirai have run rampant and continue to do so. Over the five months from September 2016 to February 2017 alone, variations of Mirai accounted for over 15,000 DDoS attacks. In these copycat attacks, gaming service continued to be the primary target, including a Brazilian internet service provider that saw its Minecraft servers targeted.
In Akamai’s recent report on Q4 2017, the authors noted that the gaming industry remains the top target for all DDoS attacks, comprising 79% of all DDoS attacks across the quarter. And while Mirai is currently much smaller than it was at its peak, its code base continues to be updated to give it new capabilities. Scanning from the botnet peaked in late November, showing that the botnet is still capable of “explosive growth”, according to Akamai.