Yandex spoke about the largest DDoS attack in the history of the Internet

Yesterday, the media reported that Yandex was subjected to a powerful DDoS attack, behind which was an unnamed new botnet. The attack was called the largest in the history of Runet, but no details were known.

Today, representatives of Yandex and Qrator Labs published a large article on Habré, in which they shared the details of the incident: it turned out that the attack power was more than 20 million requests per second, and the Mēris botnet was behind it.

The companies’ specialists note that the attack was not only the largest in the Russian Internet, but also set a new record among all DDoS attacks in general. The fact is that until recently, the largest attack in history was considered to be DDoS with a capacity of 17.2 million requests per second, which was reflected by Cloudflare this summer.

The attacks have been going on for several weeks, their scale is unprecedented, and their source is a new botnet, about which little is known yet.says Yandex.

Currently, the statistics on the growth in the scale of attacks on Yandex are as follows:

  1. August 7 – 5.2 million RPS (Requests Per Second);
  2. August 9 – 6.5 million RPS;
  3. August 29 – 9.6 million RPS;
  4. August 31 – 10.9 million RPS;
  5. September 5 – 21.8 million RPS.

The Mēris botnet was spotted in July 2021, and initially Qrator Labs specialists observed 30,000 infected hosts, while Yandex collected data on 56,000 attacking devices. However, it is assumed that the number of bots actually exceeds 200,000.

The full power of the botnet is not visible due to the rotation of devices and the lack of the attackers’ desire to show all the available power. Moreover, the devices on the botnet are high-performing, they are not typical IoT devices connected to a Wi-Fi network. Probably, a botnet consists of devices connected via an Ethernet connection, mostly network devices.the companies report said.

While many believe that the new botnet is related to the well-known IoT malware Mirai, experts say that they have not yet had the opportunity to study a sample of malicious code, and they are not ready to claim that the botnet belongs to the Mirai family. So far, the researchers are generally sure of the opposite, since “the devices united under a single command center seem to belong only to the Mikrotik manufacturer.” At the same time, experts do not yet know which vulnerabilities lead to the fact that devices of the Latvian company Mikrotik are exposed to such large-scale attacks.

This is the reason why we wanted to give a different name to the new botnet running under the uncaught command center. We have chosen Mēris – in Latvian “plague”. This name seems appropriate and is relatively close to Mirai in pronunciation.the experts explain.

Among the most striking features of the new botnet, researchers list the following:

  1. use of pipelining (pipelining in HTTP / 1.1) for organizing DDoS attacks (confirmed);
  2. attacks focused on the exploitation of RPS (confirmed);
  3. open port 5678 (confirmed);
  4. SOCKS4 proxy on the infected device (not confirmed, although Mikrotik devices are known to use SOCKS4).

The botnet is known to continue to grow. Experts from Yandex and Qrator Labs believe that the problem is not just some old vulnerability in Mikrotik devices. The fact is that the current distribution of RouterOS versions in the botnet indicates that many devices using the OS of the last three years are infected, up to the latest stable version. The largest share falls on the penultimate version.

RouterOS versions

The researchers also say that Mēris can grow due to brute force, although this option is not the main one. The situation rather indicates that a certain vulnerability in Mikrotik equipment was either kept secret until the start of this full-scale campaign, or was sold on the black market.

Interestingly, the aforementioned 17.2 million requests per second attack recorded by Cloudflare is also attributed to the Mēris botnet. Yandex observed a similar pattern in terms of duration and distribution of source countries.

requests by the Meris botnet

The same applies to the recent DDoS attacks in New Zealand, due to which the Internet in the country stopped working in some places, banks, post offices and so on arose problems.

At the moment, it [the botnet] can overload almost any network infrastructure, including some highly reliable networks that are specially designed to withstand such a load. The main feature of a botnet is a monstrous RPS rate. experts warn.
Yandex representatives emphasize that the company successfully coped with the record DDoS. “The attack did not affect the operation of the services, and user data did not suffer,” the company says.

Let me also remind you that we talked about AWS handled the most powerful DDoS attack in history, reaching 2.3 Tb/s.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button