Russian internet giant Yandex has been the target of a
record-breaking distributed denial-of-service (DDoS) attack by a
new botnet called Mēris.
The botnet is believed to have pummeled the company’s web
infrastructure with millions of HTTP requests, before hitting a
peak of 21.8 million requests per second (RPS), dwarfing a recent
botnet-powered attack that came to light last month, bombarding[1]
an unnamed Cloudflare customer in the financial industry with 17.2
million RPS.
Russian DDoS mitigation service Qrator Labs, which disclosed
details of the attack on Thursday, called Mēris[2]
— meaning “Plague” in the Latvian language — a “botnet of a new
kind.”
“It is also clear that this particular botnet is still growing.
There is a suggestion that the botnet could grow in force through
password brute-forcing, although we tend to neglect that as a
slight possibility. That looks like some vulnerability that was
either kept secret before the massive campaign’s start or sold on
the black market,” the researchers noted, adding Mēris “can
overwhelm almost any infrastructure, including some highly robust
networks […] due to the enormous RPS power that it brings
along.”
The DDoS attacks leveraged a technique called HTTP pipelining
that allows a client (i.e., a web browser) to open a connection to
the server and make multiple requests without waiting for each
response. The malicious traffic originated from over 250,000
infected hosts, primarily network devices from Mikrotik, with
evidence pointing to a spectrum of RouterOS[3] versions that have been
weaponized by exploiting as-yet-unknown vulnerabilities.
But in a forum post, the Latvian network equipment manufacturer
said these attacks employ the same set of routers that were
compromised via a 2018 vulnerability (CVE-2018-14847[4], CVSS score: 9.1) that
has since been patched and that there are no new (zero-day)
vulnerabilities impacting the devices.
“Unfortunately, closing the vulnerability does not immediately
protect these routers. If somebody got your password in 2018, just
an upgrade will not help. You must also change password, re-check
your firewall if it does not allow remote access to unknown
parties, and look for scripts that you did not create,” it noted[5].
Mēris has also been linked to a number of DDoS attacks,
including that mitigated by Cloudflare, noting the overlaps in
“durations and distributions across countries.”
While it’s highly recommended to upgrade MikroTik devices to the
latest firmware to combat any potential botnet attacks,
organizations are also advised to change their administration
passwords to safeguard against brute-force attempts.
References
- ^
bombarding
(thehackernews.com) - ^
Mēris
(blog.qrator.net) - ^
RouterOS
(mikrotik.com) - ^
CVE-2018-14847
(nvd.nist.gov) - ^
noted
(forum.mikrotik.com)