Russian internet giant Yandex has been the target of a record-breaking distributed denial-of-service (DDoS) attack by a new botnet called Mēris.
The botnet is believed to have pummeled the company’s web infrastructure with millions of HTTP requests, before hitting a peak of 21.8 million requests per second (RPS), dwarfing a recent botnet-powered attack that came to light last month, bombarding an unnamed Cloudflare customer in the financial industry with 17.2 million RPS.
Russian DDoS mitigation service Qrator Labs, which disclosed details of the attack on Thursday, called Mēris — meaning “Plague” in the Latvian language — a “botnet of a new kind.”
“It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign’s start or sold on the black market,” the researchers noted, adding Mēris “can overwhelm almost any infrastructure, including some highly robust networks […] due to the enormous RPS power that it brings along.”
The DDoS attacks leveraged a technique called HTTP pipelining that allows a client (i.e., a web browser) to open a connection to the server and make multiple requests without waiting for each response. The malicious traffic originated from over 250,000 infected hosts, primarily network devices from Mikrotik, with evidence pointing to a spectrum of RouterOS versions that have been weaponized by exploiting as-yet-unknown vulnerabilities.
But in a forum post, the Latvian network equipment manufacturer said these attacks employ the same set of routers that were compromised via a 2018 vulnerability (CVE-2018-14847, CVSS score: 9.1) that has since been patched and that there are no new (zero-day) vulnerabilities impacting the devices.
“Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create,” it noted.
Mēris has also been linked to a number of DDoS attacks, including that mitigated by Cloudflare, noting the overlaps in “durations and distributions across countries.”
While it’s highly recommended to upgrade MikroTik devices to the latest firmware to combat any potential botnet attacks, organizations are also advised to change their administration passwords to safeguard against brute-force attempts.