At the time of writing a new milestone has just been passed – a rather dubious one that cements the vulnerability of the world’s largest and most important technological marvel to date.

A chunk of the internet – large enough to encompass Amazon, Netflix, Paypal, Twitter, Reddit, Spotify, The New York Times, WIRED and most of the East Coast of the US – suffered outages as it came under sustained DDoS (distributed denial of service) attack.

That we see yet another DDoS taking place isn’t so much news anymore – they’re simply part of the internet weather now – but the scope and scale of this attack reveals just how damaging they can be. In this case hitting internet services company Dyn and its DNS service, causing domain name resolution failures that led to some of the world’s most popular sites becoming unstable or inaccessible.

While responsibility remains up in the air, though groups like New World Hackers through to finger pointing at nation-states like Russia have all surfaced, what’s more interesting is how it was carried out.

Gone are the days of merely commandeering innocuous computers sitting idle on the internet, there is a far more potent supply of machines to enlist: the almost innumerable ‘Internet of Things’ encompassing everything from webcams and printers to routers and digital video recorders.

Thanks to malware known as Mirai, which constantly scours the net looking for vulnerable devices, it’s estimated some tens of millions of devices took part in the world’s largest DDoS attack to date. Wait, let that sink in: [i]tens of millions.

Mirai isn’t complex. It has a hard-list of default administrator logins and passwords for common products, and after finding devices it can login to, just installs itself and continues the spread. Then it sits and waits, until instructed to direct traffic to an IP or IP range and start the snowball that is DDoS.

And because approximately no one ever bothers to change the default administrator password on their routers and printers and webcams and other wonderful internet-connected gadgets, you can be sure that tens of millions is just the start. More so because the definition of Internet of Things is actually larger than just computing gadgets and gear – in the very near future it will also include sensors, actuators, control circuits and much more, the common theme being they’re networkable and sport basic operating firmware.

In fact, it’s the basic part that’s the most important – cheap, mass-produced devices don’t have the resources for complex software, let alone security software, so they often don’t have any defences against being enslaved into a botnet like Mirai.

With all the attention DDoS attacks have gotten this year (including our very own eCensus shenanigans), you could say awareness is changing things – Chinese manufacturer Hangzhou Xiongmai has already issued a recall on all its components used in webcams, as products using these parts were identified in the Dyn attack. Which is the right thing to do.

But it many ways, the cat is already out of the bag – there are hundreds of millions of IoT products out there with little or no security beyond a default administrator password that’s left unchanged.

Which means we’re only going to see more of this, perhaps with ever increasing severity – the volume of the largest DDoS on record has already been broken three times this year.

And, it’s probably worth noting that the source code to Mirai is available, meaning there is already likely many botnets based on variants of Mirai running around collecting more devices into their armies of things.

Even though this awareness is educating on the importance of cybersecurity and security-centric design, and future products may be much harder to enlist, the products that already make up Mirai are going to be around for a very long time – and so too then will these sleeping armies be waiting for the next command to strike.

Oh yes, while I think of it: if you haven’t already, go change the default login and password for the devices in your home. All of them.

Ashton Mills has been writing about technology for 20 years and still gets excited for the latest techy gear. He’s also the Outreach Manager for the Australian Computer Society (www.acs.org.au), you can email him on ashton.mills@acs.org.au.