Source of attacks ‘almost entirely composed of Mikrotik devices’

Meris botnet emerges to mount 'largest ever' DDoS attack

A new botnet malware is spreading across the internet – and according to new research, it might have already infected 200,000 devices.

Called Meris, the botnet is reminiscent of Mirai, the IoT botnet that wreaked havoc in 2016, though it has unique characteristics too, reveals research from DDoS mitigation company Qrator Labs.

In recent days Meris has struck security publication KrebsOnSecurity and Yandex with what the Russian tech giant described as the biggest Distributed Denial-of-Service (DDoS) attack in history.


Meris is currently targeting devices made by MikroTik, a Latvian manufacturer of network routers.

“We do not know precisely what particular vulnerabilities led to the situation where MikroTik devices are being compromised on such a large scale,” Qrator Labs wrote in a blog post that details the botnet.

Though the researchers said it could be due to “some vulnerability that was either kept secret before the massive campaign’s start or sold on the black market”.

Alexander Lyamin, CEO at Qrator Labs, told The Daily Swig: “We see here a pretty substantial attacking force – dozens of thousands of host devices – growing.

“Separately, Qrator Labs saw the 30,000 host devices in actual numbers through several attacks, and Yandex collected the data of about 56,000 attacking hosts.”

RELATED What is DDoS? A complete guide

“However, we suppose the number to be higher – probably more than 200,000 devices, due to the rotation and absence of will to show the ‘full force’ attacking at once,” added Lyamin.

In a statement published on Friday, MikroTik said that the devices were likely compromised via a vulnerability that was patched in 2018.

“Unfortunately, closing the vulnerability does not immediately protect these routers,” MikroTik said. “If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.”

Overwhelming capacity

According to Qrator Labs, Meris has conducted devastating attacks against targets in New Zealand, the US, and Russia. Due to its capacity for very large requests per second (RPS), Meris can overwhelm almost any infrastructure including highly robust networks, the researchers warn.

Qrator Labs said the Meri attacks against Yandex peaked at 21.8 million RPS.

Catch up on the latest DDoS attack news and analysis

Cloudflare, which recently reported another huge DDoS attack, corroborated Qrator’s findings.

“We can confirm that the source of the 17.2M RPS attack we saw previously was almost entirely composed of MikroTik devices running open SOCKS proxies, and utilized HTTP pipelining,” Patrick Donahue, director of product at Cloudflare, told The Daily Swig.

Donahue said that unlike the Mirai botnet, the new botnet consists of a smaller number of compromised, high-resource network infrastructure devices that are used to proxy attack traffic originating from cloud VPS instances.

“We continue to see daily attacks from this botnet,” he said.

Donahue warned that proxying attack traffic makes it easier for the attackers to generate high volumes of L7 (application layer) attack traffic using powerful cloud servers, and makes it harder to figure out where the attack traffic is being generated from.

HTTP pipelining

According to Qrator, the botnet is exploiting ‘HTTP pipelining’, a feature that allows clients to send requests to web servers in batches without waiting for individual responses.

“HTTP pipelining is what allows this botnet to achieve such an astonishingly high numbers in RPS, and at the same time it makes detection and mitigation of attacks much easier since we know only one web browser using this feature,” Lyamin said.

However, even when a pipelining attack is detected and blocked, a full batch of HTTP requests will remain in the target server’s pipeline. The rise of Meris is a reminder of the complexity and continual evolution of DDoS attacks.

“DDoS is a real, actual, ever-evolving risk for any internet business,” Lyamin said.

“Have a mitigation plan in place. Update it frequently. If you were ready for the previous generation of bandwidth-based attacks, it doesn’t mean that you’re ready for the application layer, proven by all the victims of Meris.”

RECOMMENDED Nation-state threat: How DDoS-over-TCP technique could amplify attacks