Mēris Botnet is the Perpetrator Behind the DDoS Attack that Hit Yandex

A new botnet dubbed Mēris has launched a record-breaking distributed denial-of-service (DDoS) attack on Russian internet company Yandex. The botnet is thought to have pounded the company’s web infrastructure with millions of HTTP requests before peaking at 21.8 million requests per second (RPS), surpassing a recent botnet-powered attack that pounded an unnamed Cloudflare customer in the financial industry with 17.2 million RPS last month. 

 Mēris – which means “Plague” in Latvian – is a “botnet of a new kind,” according to Russian DDoS mitigation provider Qrator Labs, which revealed details of the attack on Thursday. The DDoS assaults used a method known as HTTP pipelining, which allows a client (such as a web browser) to create a connection to a server and send numerous requests without having to wait for each answer. 

The malicious traffic came from over 250,000 compromised hosts, mostly Mikrotik network devices, with evidence pointing to a variety of RouterOS versions weaponized by exploiting yet unknown vulnerabilities. 

“It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign’s start or sold on the black market,” the researchers noted. “Mēris can overwhelm almost any infrastructure, including some highly robust networks due to the enormous RPS power that it brings along.”

Mēris utilises the SOCKS4 proxy on the infected device, the HTTP pipelining DDoS method, and port 5678 to launch an assault, according to the researchers. The hacked devices, according to the researchers, are linked to MikroTik, a Latvian manufacturer of networking equipment for organisations of various kinds. Ports 2000 and 5678 were open on the majority of the attacker devices. The latter refers to MikroTik equipment, which employs it for the function of neighbour detection (MikroTik Neighbor Discovery Protocol). While MikroTik’s regular service is delivered via the User Datagram Protocol (UDP), hacked devices additionally have an open Transmission Control Protocol (TCP). 

According to Qrator Labs experts, this type of disguise might be one of the reasons devices were hacked without their owners’ knowledge. More than 328,000 hosts replied to a search for open TCP port 5678 on the public internet. However, this number does not include all MikroTik devices, as LinkSys equipment utilises TCP on the same port.