At the end of June, 2021, security researchers from Russian firm Qrator started observing “a botnet of a new kind.” A joint research with Yandex followed to discover more about this new DDoS threat “emerging in almost real-time”.
Meris Botnet: New Emerging DDoS Threat
A pretty substantial, constantly growing attacking force, as Qrator put it, was uncovered in the form of ten of thousands of host devices. The botnet has been dubbed Meris, meaning Plague in Latvian.
“Separately, Qrator Labs saw the 30 000 host devices in actual numbers through several attacks, and Yandex collected the data about 56 000 attacking hosts,” according to the official report. This number is most likely even higher, reaching 200,000. It is noteworthy that this botnet’s devices are highly capable and are not the statistically average devices connected via Ethernet.
Does the new Meris botnet have anything to do with Mirai?
“Some people and organizations already called the botnet “a return of Mirai”, which we do not think to be accurate,” Qrator noted. Since the researchers haven’t seen the malicious code behind this new botnet, they can’t say for sure whether it is somehow related to Mirai. However, since the devices it bands together come from only one manufacturer, Mikrotek, it is more likely that the Meris botnet has nothing to do with Mirai.
What are some specifications of the Meris botnet?
- Socks4 proxy at the affected device (unconfirmed, although Mikrotik devices use socks4)
- Use of HTTP pipelining (http/1.1) technique for DDoS attacks (confirmed)
- Making the DDoS attacks themselves RPS-based (confirmed)
- Open port 5678 (confirmed)
How are Mikrotik devices compromised?
The vulnerabilities used to exploit Mikrotik devices on such a large scale are yet to be outlined. However, according to customers on the Mikrotik forum, there have been hacking attempts on older RouterOS versions, particularly version 6.40.1 that dates back to 2017. If this is confirmed, “this is horrible news,” Qrator said. Nonetheless, this is most likely not true, as the range of RouterOS versions used by Meris botnet varies from years-old to recent ones. The largest number comes from firmware previous to the current Stable one.
Where have attacks by Meris botnet been observed?
Devastating attacks targeting New Zealand, the United States and Russia have been observed. The researchers warn that the botnet can “overwhelm” even the most robust network, due to its enormous RPS power.
“It’s been in the news lately about “largest DDoS attack on Russian internet and Yandex”, but we at Yandex saw a picture much bigger than that. Cloudflare recorded the first attacks of this type. Their blog post of August 19, 2021, mentioned the attack reaching 17M requests per second. We observed similar durations and distributions across countries and reported this information to Cloudflare,” the report stated.
Mikrotik has been contacted with information about the attacks. In terms of mitigation, blacklisting is still an option, as well as keeping devices up-to-date.