A new botnet has been observed breaking records of previous DDoS attacks as it generated 21.8 million requests per second. Dubbed Meris, the botnet targeted the Internet company from Russia, Yandex. So far, it has infected thousands of networking devices.

What has happened?

According to the Russian media, the attack was one of the biggest DDoS attacks in the history of RuNet, the Russian Internet.
  • The information collected from the multiple attacks revealed that Mēris has a network of more than 30,000 devices.
  • The information collected by Yandex indicates that the attacks on its servers used 56,000 attacking hosts. However, evidence suggests that the number of compromised devices is around 250,000.
  • The botnet attacks on Yandex started in early August with 5.2 million RPS and kept increasing in strength with 6.5 million (Aug 9), 9.6 million (Aug 29), 10.9 million (Aug 31), and eventually, reached up to 21.8 million RPS on September 5.

Technical details

The Yandex security team has fully disclosed the botnet's internal structure. 
  • It uses L2TP tunnels for internetwork communications. To carry out the attack, the botnet uses SOCKS4 proxy on the infected device and then uses HTTP pipelining DDoS technique.
  • Most of the compromised devices had open ports 5678 and 2000. Port 5678 points to MikroTik equipment which is used for the neighbor discovery feature.
  • Port 2000 stands for bandwidth test server that replies to the incoming connection with a signature pertaining to MikroTik’s RouterOS protocol.
  • The network equipment maker stated that most of its devices are still using old firmware, exposed to a widely abused security flaw tracked as CVE-2018-14847 (patched in April 2018). However, in the recent attacks, some of the compromised devices were running new RouterOS versions as well.

How to safeguard against this?

MikroTik has shared tips on keeping your gateways secure. While impacted users will be contacted by MikroTik, many users have not been contacted yet, says the firm. For now, it is recommended to keep the devices updated and ensure that no unused ports are left open to the public Internet.

Cyware Publisher