An advance distributed denial-of-service (DDoS) botnet that preserved extending over the summer has been beating Russian internet giant Yandex for the previous month, the attack increasing at the unusual rate of 21.8 million requests per second.

The botnet acknowledged the name Meris, and it bring its power from tens of thousands of negotiated devices that investigators believe to be initially strong network materials.

Enormous and Authoritative Botnet

Broadcast about a Massive DDoS attack hitting Yandex broke this week in the Russian Media, which explained it as being the largest in the history of the Russian internet, the purported RuNet.

Information has arrived today in a joint investigator from Yandex and its partner in facilitating DDoS security services. Information gathered personally from some attacks set up by the advance Meris (Latvian for ‘curse’) botnet, displayed a striking force of more than 30,000 devices.

From the information that Yandex observed, offense on its servers awaited on about 56, 0000 attacking hosts. However, the investigators have seen indications that the number of negotiated devices may be closer to 250,000.

“Yandexs’ security team members handled to authorize an exact view of the botnet’s internal structure. L2TP tunnels are used for internetwork communications. The number of impacted devices, according to the botnet internals we’ve seen, reaches 250 000” – Qrator Labs

The difference between the attacking force and the overall number of impacted hosts creating Meris is described by the truth that the administrators do not want to demonstrate the full of the power of their botnet. The investigators note that the negotiated hosts in Meris are “not your typical IoT indicator connected to WiFi” but highly capable devices that need an Ethernet connection.

Meris is the same botnet answerable for generating the largest volume of attack traffic that Cloudflare recorded and avoided to date, as it increased at 17.2 million requests per second (RPS).

Although Meris botnet crack that record when striking Yandex, as it’s fluctuate on September 5 arrived at a force of 21.8 million RPS.

The botnet’s history of attacks on Yandex starts in early August with a collide of 5.2 million RPS and kept growing in strength:

• 2021-08-07 – 5.2 million RPS
• 2021-08-09 – 6.5 million RPS
• 2021-08-29 – 9.6 million RPS
• 2021-08-31 – 10.9 million RPS
• 2021-09-05 – 21.8 million RPS    

Technical Information Points to MikroTik Devices

To set up an attack, the investigator state that Mēris relies on the SOCKS4 proxy at the compromised device, uses the HTTP pipelining DDoS technique, and port 5678. As for the negotiated devices utilized, the researchers say that they are related to MikroTik, the Latvian maker of networking equipment for businesses of all sizes.

Most of the attacking devices had open ports 2000 and 5678. The latter points to MikroTik equipment, which uses it for the neighbor discovery feature (MikroTik Neighbor Discovery Protocol). They also found that while MikroTik provides its standard service through the User Datagram Protocol (UDP), compromised devices also have an open Transmission Control Protocol (TCP).

This kind of disguise might be one of the reasons devices got hacked unnoticed by their owners,” Qrator Labs researchers believe. When searching the public internet for open TCP port 5678, more than 328,000 hosts responded. The number is not all MikroTik devices, though, as LinkSys devices also use TCP on the same port.

Port 2000 is for “Bandwidth test server,” the researchers say. When open, it replies to the incoming connection with a signature that belongs to MikroTik’s RouterOS protocol. MikroTik has been informed of these findings. The vendor told Russian publication Vedomosti that it is not aware of a new vulnerability to compromise its products.

The network equipment maker also said that many of its devices continue to run old firmware, vulnerable to a massively exploited security issue tracked as CVE-2018-14847 and patched in April 2018.

However, the range of RouterOS versions that Yandex and Qrator Labs mentioned in attacks from Meris botnet modifies exceedingly and includes devices running newer firmware versions, such as the current stable one (6.48.4) and its predecessor, 6.48.3.