Meris Botnet Creates a New Record for DDoS Attacks

Admin

17 Sep, 2021

https://cyware.com/

A new botnet has been observed breaking records of previous DDoS attacks as it generated 21.8 million requests per second. Dubbed Meris, the botnet targeted the Internet company from Russia, Yandex. So far, it has infected thousands of networking devices.

What has happened?

According to the Russian media, the attack was one of the biggest DDoS attacks in the history of RuNet, the Russian Internet.

The information collected from the multiple attacks revealed that Mēris has a network of more than 30,000 devices.
The information collected by Yandex indicates that the attacks on its servers used 56,000 attacking hosts. However, evidence suggests that the number of compromised devices is around 250,000.
The botnet attacks on Yandex started in early August with 5.2 million RPS and kept increasing in strength with 6.5 million (Aug 9), 9.6 million (Aug 29), 10.9 million (Aug 31), and eventually, reached up to 21.8 million RPS on September 5.

Technical details

The Yandex security team has fully disclosed the botnet's internal structure.

It uses L2TP tunnels for internetwork communications. To carry out the attack, the botnet uses SOCKS4 proxy on the infected device and then uses HTTP pipelining DDoS technique.
Most of the compromised devices had open ports 5678 and 2000. Port 5678 points to MikroTik equipment which is used for the neighbor discovery feature.
Port 2000 stands for bandwidth test server that replies to the incoming connection with a signature pertaining to MikroTik’s RouterOS protocol.
The network equipment maker stated that most of its devices are still using old firmware, exposed to a widely abused security flaw tracked as CVE-2018-14847 (patched in April 2018). However, in the recent attacks, some of the compromised devices were running new RouterOS versions as well.

How to safeguard against this?

MikroTik has shared tips on keeping your gateways secure. While impacted users will be contacted by MikroTik, many users have not been contacted yet, says the firm. For now, it is recommended to keep the devices updated and ensure that no unused ports are left open to the public Internet.

source : https://cyware.com/news/meris-botnet-creates-a-new-record-for-ddos-attacks-1499a89c

<!--

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1807328581-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY59BxdvQ0D_zS5TmSC3hN0JnznNXw:1714083876267';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d8315132940176638004','//www.cyberlaw.eu.org/2021/09/meris-botnet-creates-new-record-for.html','8315132940176638004');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '8315132940176638004', 'title': 'Cyberlaw', 'url': 'https://www.cyberlaw.eu.org/2021/09/meris-botnet-creates-new-record-for.html', 'canonicalUrl': 'https://www.cyberlaw.eu.org/2021/09/meris-botnet-creates-new-record-for.html', 'homepageUrl': 'https://www.cyberlaw.eu.org/', 'searchUrl': 'https://www.cyberlaw.eu.org/search', 'canonicalHomepageUrl': 'https://www.cyberlaw.eu.org/', 'blogspotFaviconUrl': 'https://www.cyberlaw.eu.org/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Cyberlaw - Atom\x22 href\x3d\x22https://www.cyberlaw.eu.org/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Cyberlaw - RSS\x22 href\x3d\x22https://www.cyberlaw.eu.org/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Cyberlaw - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/8315132940176638004/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Cyberlaw - Atom\x22 href\x3d\x22https://www.cyberlaw.eu.org/feeds/3466401937982148861/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/111cb1309c0430aa', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '3466401937982148861', 'postImageThumbnailUrl': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhETZQfeakYdEuj9Tn9uvTdvJ-KcIHyuNaMCHBfVuk-cgoSjVpYJd807NlW3iNFcTNaTi15qY57fofhj7yzot64PrSTNwF914I4Ubo_KTZQ2gBxXrazG4CzKjZ__1qWhOBAyBrs9lHhyjU/s72-w686-c-h296/image.png', 'postImageUrl': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhETZQfeakYdEuj9Tn9uvTdvJ-KcIHyuNaMCHBfVuk-cgoSjVpYJd807NlW3iNFcTNaTi15qY57fofhj7yzot64PrSTNwF914I4Ubo_KTZQ2gBxXrazG4CzKjZ__1qWhOBAyBrs9lHhyjU/w686-h296/image.png', 'pageName': 'Meris Botnet Creates a New Record for DDoS Attacks', 'pageTitle': 'Cyberlaw: Meris Botnet Creates a New Record for DDoS Attacks', 'metaDescription': ''}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': true, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Meris Botnet Creates a New Record for DDoS Attacks', 'description': 'Cyberlaw.eu.org is an online publication that helps people navigate a safe path through their increasingly complex digital lives.', 'featuredImage': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhETZQfeakYdEuj9Tn9uvTdvJ-KcIHyuNaMCHBfVuk-cgoSjVpYJd807NlW3iNFcTNaTi15qY57fofhj7yzot64PrSTNwF914I4Ubo_KTZQ2gBxXrazG4CzKjZ__1qWhOBAyBrs9lHhyjU/w686-h296/image.png', 'url': 'https://www.cyberlaw.eu.org/2021/09/meris-botnet-creates-new-record-for.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 3466401937982148861}}, {'name': 'widgets', 'data': [{'title': 'Logo', 'type': 'HTML', 'sectionId': 'header-main', 'id': 'HTML50'}, {'title': 'Menu', 'type': 'PageList', 'sectionId': 'header-main', 'id': 'PageList50'}, {'title': 'SVG Icons', 'type': 'HTML', 'sectionId': 'icons', 'id': 'HTML58'}, {'title': 'Blog Posts', 'type': 'Blog', 'sectionId': 'blog-post', 'id': 'Blog50', 'posts': [{'id': '3466401937982148861', 'title': 'Meris Botnet Creates a New Record for DDoS Attacks', 'featuredImage': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhETZQfeakYdEuj9Tn9uvTdvJ-KcIHyuNaMCHBfVuk-cgoSjVpYJd807NlW3iNFcTNaTi15qY57fofhj7yzot64PrSTNwF914I4Ubo_KTZQ2gBxXrazG4CzKjZ__1qWhOBAyBrs9lHhyjU/w686-h296/image.png', 'showInlineAds': false}], 'footerBylines': [], 'allBylineItems': []}, {'title': '', 'type': 'Image', 'sectionId': 'sidebar-static', 'id': 'Image1'}, {'title': 'Popular Posts', 'type': 'PopularPosts', 'sectionId': 'sidebar-static', 'id': 'PopularPosts50', 'posts': [{'title': '46% of all on-prem databases are vulnerable to attack, breaches expected to grow', 'id': 7790416452275736488}, {'title': 'ProtonMail shared activist\x27s IP with law enforcement, claims had no other choice', 'id': 3008301597554200192}, {'title': 'Google patches 10th Chrome zero-day exploited in the wild this year', 'id': 7089575375688601033}, {'title': 'Cisco Patches Critical Vulnerabilities in IOS XE Software', 'id': 1823637314326203949}, {'title': 'SSID Stripping: New Method for Tricking Users Into Connecting to Rogue APs', 'id': 5218617025854254661}]}, {'title': 'Categories', 'type': 'Label', 'sectionId': 'sidebar-static', 'id': 'Label50'}, {'title': 'About Us', 'type': 'HTML', 'sectionId': 'footer-widget', 'id': 'HTML55'}, {'title': '', 'type': 'LinkList', 'sectionId': 'footer-widget', 'id': 'LinkList50'}, {'title': 'Follow Us', 'type': 'LinkList', 'sectionId': 'footer-widget', 'id': 'LinkList51'}, {'title': 'Copyright', 'type': 'HTML', 'sectionId': 'copyright', 'id': 'HTML56'}]}]);
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML50', 'header-main', document.getElementById('HTML50'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PageListView', new _WidgetInfo('PageList50', 'header-main', document.getElementById('PageList50'), {'title': 'Menu', 'links': [{'isCurrentPage': false, 'href': '/search/label/News?max-results\x3d10', 'title': 'News'}, {'isCurrentPage': false, 'href': '/search/label/Cyber?max-results\x3d10', 'title': 'Cyber'}, {'isCurrentPage': false, 'href': '/search/label/Hacking?max-results\x3d10', 'title': 'Hacking'}, {'isCurrentPage': false, 'href': '/search/label/Vulnerable?max-results\x3d10', 'title': 'Vulnerable'}, {'isCurrentPage': false, 'href': '/search/label/Privacy?max-results\x3d10', 'title': 'Privacy'}], 'mobile': false, 'showPlaceholder': true, 'hasCurrentPage': false}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML58', 'icons', document.getElementById('HTML58'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog50', 'blog-post', document.getElementById('Blog50'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/1666805145-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/13464135-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_ImageView', new _WidgetInfo('Image1', 'sidebar-static', document.getElementById('Image1'), {'resize': false}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts50', 'sidebar-static', document.getElementById('PopularPosts50'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LabelView', new _WidgetInfo('Label50', 'sidebar-static', document.getElementById('Label50'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML55', 'footer-widget', document.getElementById('HTML55'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList50', 'footer-widget', document.getElementById('LinkList50'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList51', 'footer-widget', document.getElementById('LinkList51'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML56', 'copyright', document.getElementById('HTML56'), {}, 'displayModeFull'));
</script>
</body>

-->