Mēris Botnet Breaking DDoS Records

At the start of this year, researchers looked back on 2020 and discovered it was a boom year for DDoS attacks. Now, Russian Internet giant Yandex is battling the biggest DDoS attack on record and a new Botnet may be the infrastructure powering this record-breaking attack.

Giving the attack method its full name of Distributed Denial of Service (DDoS), the attack involves attempts to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This can be done through the use of botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device, typically Internet of Things devices and routers.

Hackers will connect thousands of infected devices to send requests to the target server to the point where the server can no longer handle the traffic. This has the impact of rendering websites and applications inoperable while the attack is ongoing.

meris - record breaking ddos attack

According to reports, Russian media believes that this is the largest assault on RuNet, Russia’s segment of the Internet. RuNet was designed to function independently of the worldwide web. Its purpose is to maintain the unified country-wide communication infrastructure running in case of a cyber-attack from a foreign adversary. Sources also report that the massive spike in traffic intended to prevent services first began over the weekend when Yandex servers began reporting a spike in traffic.

Yandex does provide DDoS support to customers in conjunction with Russian security firm Qrator Labs, however, at the time the incident was made public no information was provided as to the exact scale of the attack. Vedomosti, the Russian media source that broke the story, says that its sources declined to provide more information on the attack because of an ongoing internal audit, but noted that the incident represents “a threat to infrastructure on a national scale.”

The publication further noted that a Yandex spokesperson confirmed the DDoS attack and that the company’s network infrastructure managed to filter the unwanted requests, resulting in no impact on provided services or user data. More information was soon to follow.

Mēris Botnet

It was hinted, at the time the incident was brought to the public’s attention, that the offending botnet infrastructure behind the attack may be one not seen before, or at least not analyzed sufficiently up until now. More information about the attack was soon to follow when Qrator Labs, via their corporate blog, published published details about the new botnet called Mēris.

What is interesting about the attack is that, according to researchers, there hasn’t been a global application-layer attack in five years. This is due in part to effective defensive measures that have been put in place to prevent such attacks. That said DDoS attacks are not harmless as Mēris now shows. The security firm noted that by the end of June 2021, odd activity had been detected that alluded to the possibility of a new botnet.

Researchers noted that by the time of the Yandex incident, the Internet giant had discovered 56 000 attacking hosts, while Qrator Labs discovered that 30,000. This makes up a significant number of devices through which a DDoS attack can be enabled. However, researchers believe that the number of bots maybe around 200,000. Researchers went on to state,

“...we suppose the number to be higher – probably more than 200 000 devices, due to the rotation and absence of will to show the "full force" attacking at once. Moreover, all those being highly capable devices, not your typical IoT blinker connected to WiFi – here we speak of a botnet consisting of, with the highest probability, devices connected through the Ethernet connection – network devices, primarily…Some people and organizations already called the botnet "a return of Mirai", which we do not think to be accurate. Mirai possessed a higher number of compromised devices united under C2C, and it attacked mainly with volumetric traffic…We have not seen the malicious code, and we are not ready to tell yet if it is somehow related to the Mirai family or not. We tend to think that it is not, since the devices it unites under one umbrella seems to be related to only one manufacturer – Mikrotik.”

As of yet the vulnerabilities that may have been exploited to grow the botnet are unknown. Researchers did point out that users on the Mikrotik forum posted about customers experiencing hacking attempts on older versions of RouterOS, particularly 6.40.1 from 2017. If this is the vulnerability possibly exploited, the outlook goes from bad to worse as this means there are thousands of devices that are unpatched and vulnerable.

Luckily, this may not be the case as Yandex data shared with the security firm suggests the spectrum of RouterOS versions we see across this botnet varies from years old to recent. The largest share belongs to the version of firmware previous to the current Stable one. According to Qrator Labs, the following features of the botnet have been confirmed:

  • Socks4 proxy at the affected device (unconfirmed, although Mikrotik devices use socks4)
  • Use of HTTP pipelining (http/1.1) technique for DDoS attacks (confirmed)
  • Making the DDoS attacks themselves RPS-based (confirmed)
  • Open port 5678 (confirmed)

Researchers further warned,

“It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign's start or sold on the black market.”

Record Breaker

According to Qrator Labs, it is not only RuNet that has been targeted. Attacks in New Zealand and the US can be attributed to the Mēris botnet. The attacks on New Zealand and the US were notable for the amount of requests-per-second (RPS) that the botnet was able to achieve to deny services. The attack on US infrastructure clocked in 17.2 million RPS but the attack on RuNet blows even that record out the water with 21.8 million RPS.

Both records were thwarted, first by Cloudflare and then by Yandex. How then did Yandex prevent such a massive spike in traffic from knocking services offline? Qrator Lab researchers noted,

“At Yandex, incoming user traffic passes through several infrastructure components, operating at different ISO/OSI layers. The first component protects Yandex from SYN flood attacks. The following layers analyze incoming traffic in real-time. Based on the technical and network statistics, the system evaluates each request for a level of suspicion. Thanks to robust and well-maintained infrastructure, we quickly scaled our components horizontally after the first attack. We were able to cope with the most significant RPS attack in Internet history without switching to an IP banning mode.”

Cloudflare noted that the attack on US infrastructure was mitigated through the use of what the company terms autonomous edge DDoS protection systems. It was further stated that the system works by,

“Once an attack is detected, our systems generate a mitigation rule with a real-time signature that matches the attack patterns. The rule is propagated to the most optimal location in the tech stack. As an example, a volumetric HTTP DDoS attack may be blocked at L4 inside the Linux iptables firewall instead of at L7 inside the L7 reverse proxy which runs in the user space. Mitigating lower in the stack, e.g. dropping the packets at L4 instead of responding with a 403 error page in L7, is more cost-efficient. It reduces our edge CPU consumption and intra-data center bandwidth utilization — thus helping us mitigate large attacks at scale without impacting performance.”

It is most certainly a win for ISP providers and the Internet as a whole that technology has been developed that can cope with record-breaking DDoS attempts.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal