Recently, it has been reported that Yandex was experiencing a massive DDoS attack from the Mēris botnet. this attack was denominated as the most comprehensive in the history of a DDoS attack, however, the key details are not yet cleared.
However, Yandex and Qrator Labs issued a large provision on Habré, on which they have yielded the details of what exactly happened, as per the study this DDoS attack power was more than 20 million requests per second, and the Mēris botnet was behind this attack.
Features of Mēris botnet
There are some special features that have been published by Yandex and Qrator regarding this DDoS attack, and here we have mentioned them below:-
- Socks4 proxy at the affected device (unconfirmed, although Mikrotik devices use socks4)
- Use of HTTP pipelining (http/1.1) method for DDoS attacks (confirmed)
- Making the DDoS attacks themselves RPS-based (confirmed)
- Open port 5678 (confirmed)
Comprehensive and robust botnet
Russian media broke when news about a huge DDoS attack hitting Yandex appeared. It is been described as the largest attack in the history of the Russian internet, therefore it was given the name of “RuNet.”
According to the recent details, which emerged in joint research from Yandex it has been pronounced that they are providing DDoS protection services. There were several attacks, out of which information was collected by the new Meris botnet and it showed a force of more than 30,000 devices.
The data that has been collected by Yandex, observed that the assaults on its servers relied on 56,000 attacking hosts. However, 2,50,000 compromised devices may have been seen during the indication by the security experts.
Countries with active hosts
|Country||Hosts||% of global|
|United States of America||139930||42.6%|
Botnet’s history of attacks on Yandex
Here’s the history of attacks on Yandex:-
- 2021-08-07 – 5.2 million RPS
- 2021-08-09 – 6.5 million RPS
- 2021-08-29 – 9.6 million RPS
- 2021-08-31 – 10.9 million RPS
- 2021-09-05 – 21.8 million RPS
What to do in such a situation?
Blacklist still exists, therefore those attacks are not spoofed, hence, the victim sees the attack origin just the way it is. To not disturb the possible end-user and thwart the attack, blocking would be sufficient.
Nobody knows how the owners of the Meris botnet would act in the future. But, there is a fair probability that they could be taking advantage of the compromise devices by making the hundred percent of their capacity.
In such cases, the only way other than blocking every request is to prevent the answering of the pipelined requests. Although, pipelining could be turned into a disaster if there is no DDoS attack mitigation at the targeted server.
The threat actors need less workforce to fill the RPS threshold for the victim and it turns out that many were not ready for such a situation.