Russia’s Yandex targeted by Meris Botnet in a 22 million RPS DDoS attack

The DDoS attacks employed a technique called HTTP pipelining

Russia’s Yandex targeted by Meris Botnet in a 22 million RPS DDoS attack

A new botnet named Meris has launched a record-breaking distributed denial-of-service (DDoS) attack on Russian internet company Yandex.

The botnet is thought to have pounded the company’s web infrastructure with millions of HTTP requests before peaking at 21.8 million requests per second (RPS), dwarfing a recent botnet-powered attack that pounded an unnamed Cloudflare customer in the financial industry with 17.2 million RPS last month. Meris — which means ‘plague’ in Latvian — is a new botnet according to Russian DDoS mitigation service Qrator Labs, which revealed details of the attack on Thursday.

It’s also obvious that this botnet is still expanding. There is a possibility that the botnet could expand its reach by brute-forcing passwords, but we prefer to dismiss this as a remote possibility. That appears to be a vulnerability that was either kept hidden or sold on the black market before the massive campaign began, according to the researchers, who also noted that Meris can overwhelm almost any infrastructure, including some of the most robust networks, due to the massive RPS power it brings.

HTTP pipelining, which allows a client to make a connection to a server and submit several requests without having to wait for each response, was utilized in the DDoS attacks. Over 250,000 infected computers, predominantly Mikrotik network devices, sent malicious traffic, with evidence pointing to a range of RouterOS versions weaponized by exploiting yet unknown vulnerabilities. However, the Latvian network equipment manufacturer noted in a forum post that these attacks use the same routers that were affected by a 2018 vulnerability that has already been fixed, and that the devices are not vulnerable to any new vulnerabilities.

Unfortunately, addressing the vulnerability does not provide immediate protection for these routers. An upgrade will not help you if your password was stolen in 2018. According to the research, you should also change your password, double-check your firewall to make sure it isn’t blocking remote access from unknown parties, and look for scripts you didn’t develop. Meris has also been linked to a number of DDoS attacks, one of which was mitigated by Cloudflare, with overlapping durations and distributions across countries. While it’s critical to update MikroTik devices to the most recent firmware to protect against botnet attacks, enterprises should also change their management passwords to avoid brute-force attacks.