KrebsonSecurity and Yandex Both Hit by Monster Botnet “Mēris”
- By Dawna M. Roberts
- Published: Oct 01, 2021
- Last Updated: Mar 18, 2022
Both KrebsonSecurity and Yandex (Russian search engine) were hit hard by a monster IoT botnet called Mēris. Experts are calling it a record-breaking distributed denial-of-service (DDoS) attack.
What Happened?
The Hacker News explained what happened to Yandex,
“The botnet is believed to have pummeled the company’s web infrastructure with millions of HTTP requests, before hitting a peak of 21.8 million requests per second (RPS), dwarfing a recent botnet-powered attack that came to light last month, bombarding an unnamed Cloudflare customer in the financial industry with 17.2 million RPS.”
Experts are calling the attack on Yandex the Titanic of all attacks “by roughly 250,000 malware-infected devices globally, sending 21.8 million bogus requests-per-second.”
Russian threat assessors are calling this new menace Mēris, meaning plague. Qrator Labs is concerned and commented that,
“It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign’s start or sold on the black market,” the researchers noted, adding Mēris “can overwhelm almost any infrastructure, including some highly robust networks […] due to the enormous RPS power that it brings along.”
On Thursday, KrebsonSecurity suffered a thankfully minor attack from the same botnet. KrebsonSecurity is no stranger to malicious attacks, suffering a four-day outage in 2016 after being hit by a Mirai DDoS attack. KrebsonSecutity explains, “The traffic deluge from Thursday’s attack on this site was more than four times what Mirai threw at this site five years ago. This latest attack involved more than two million requests per second. By comparison, the 2016 Mirai DDoS generated approximately 450,000 requests-per-second.”
How Was Mēris Created?
The lead threat assessors looking into Mēris are Qrator, a Russian DDoS mitigation service. They are working with Yandex now to mitigate the damage caused by the incident. They claim that most of the IoT devices that make up this monster are internet routers made by MikroTik. Unfortunately, most of the routers reside in the U.S. and China.
The operating systems (OS) for compromised devices range from very old to current, up-to-date systems.
KrebsonSecurity explains,
“It’s fitting that Meris would rear its head on the five-year anniversary of the emergence of Mirai, an Internet of Things (IoT) botnet strain that was engineered to out-compete all other IoT botnet strains at the time. Mirai was extremely successful at crowding out this competition and quickly grew to infect tens of thousands of IoT devices made by dozens of manufacturers.”
How to Protect Yourself from DDoS Attacks
KrebsonSecurity commented that the hackers successfully joined compromised devices to these massive botnets because consumers often purchase white-label IoT products that were not designed with security in mind.
However, the good news is that many hosting providers and website platforms have improved their security with a better ability to handle these types of attacks. KrebsonSecurity is a good example. Back in 2016, they were crippled for four days, and their site went down after the Mirai attack. The attack on Thursday was quickly mitigated, and they are up and running without any service disruption. Additionally, platforms such as Google and Cloudflare have significantly beefed up their security and ability to withstand attacks of this magnitude.
The best way companies and even individuals can protect themselves is by purchasing high-quality IoT devices with a reputation for privacy and security. Adding a VPN to your router is another way to protect your IoT devices from intrusion and compromise. Even if the price is right, pass on products you don’t know from vendors you haven’t heard about.