Contents:
For the last month, a new distributed denial-of-service (DDoS) botnet has been attacking the Russian internet company Yandex. The attack peaked at an unparalleled rate of 21.8 million requests per second.
Mēris is the name given to the botnet, which derives its power from tens of thousands of hacked machines, estimated to be the most powerful networking equipment.
The Russian media reported this week on a major DDoS attack against Yandex, which was billed as the greatest in the history of the Russian internet, or RuNet.
As previously explained by my colleague, Elena, DDoS is an online attack in which legitimate users are prevented from accessing their target online location. This is usually done by flooding that particular site with a multitude of illegitimate information requests.
Separate data from multiple attacks carried out by the new Mēris (Latvian for “plague”) botnet revealed a striking force of over 30,000 machines.
According to Yandex’s statistics, roughly 56,000 attacker hosts were involved in the attacks, but there are signs that the number of infected devices might be closer to 250,000.
Yandex’s security team members managed to establish a clear view of the botnet’s internal structure. L2TP tunnels are used for internetwork communications. The number of infected devices, according to the botnet internals we’ve seen, reaches 250. 000.
According to a blog post released today by Qrator Labs, the difference between the attacking force and the overall number of infected hosts that make up Mēris is explained by the administrators’ unwillingness to show off the full power that the botnet has.
According to the researchers, the vulnerable hosts in Mēris are “not your typical IoT blinker connected to WiFi,” but rather extremely complex gadgets that require an Ethernet connection.
However, Mēris botnet broke that record when hitting Yandex, as its flux on September 5 reached a force of 21.8 million RPS.
The Importance of MikroTik Devices
To deploy an attack, the researchers say that Mēris relies on the SOCKS4 proxy at the compromised device, uses the HTTP pipelining DDoS technique, and port 5678.
The compromised devices used seem to be related to MikroTik, the Latvian maker of networking equipment for businesses of all sizes, as ports 2000 and 5678 were open on the majority of the attacker devices, with the latter referring to MikroTik equipment.
This kind of disguise might be one of the reasons devices got hacked without being noticed.