A new denial-of-service botnet hit the Russian Internet giant Yandex, the attack peaking at the phenomenal rate of 21.8 million requests per second.
- A massive DDoS attack hit Yandex this week.
- The attack began in August and reached a record peak on September 5.
- The Mēris botnet is composed of approximately more than 200,000 devices.
A new denial-of-service botnet hit the Russian Internet giant Yandex, the attack peaking at the phenomenal rate of 21.8 million requests per second.
The most significant DDoS attack has hit Yandex on the Russian-language community on the Internet and websites collectively known as Runet.
CEO of Qrator labs, Alexander Lyamin, a Yandex partner that delivers DDoS protection, disclosed that the DDoS attack was launched by a new DDoS botnet, tracked as Mēris (Latvian word for plague).
According to a joint investigation performed by Yandex and Qrator Labs, the Mēris botnet is composed of nearly more than 200,000 devices.
The researchers note that the compromised hosts in Mēris are “not your typical IoT blinker connected to WiFi” but capable devices that require an Ethernet connection.
Similarities between the attack against Yandex and the one blocked by Cloudflare led experts into believing that both were powered by the Mēris botnet. The DDoS attack against Yandex on September 5 peaked at 21.8 million RPS.
“Although Mikrotik uses UDP for its standard service on port 5678, an open TCP port is detected on compromised devices. This kind of disguise might be one of the reasons devices got hacked unnoticed by their owners. Based on this intel, we decided to probe the TCP port 5678 with the help of Qrator.Radar,” reads the post.
The researchers discovered 328,000 active hosts on the Internet replying to the TCP probe on port 5678; however, Linksys equipment also uses TCP service on the same port.
The botnet’s history of attacks on Yandex began in early August with a strike of 5.2 million RPS and kept increasing in strength:
- August 7 - 5.2 million RPS
- August 9 - 6.5 million RPS
- August 29 - 9.6 million RPS
- August 31 - 10.9 million RPS
- September 5 - 21.8 million RPS
The Mēris botnet uses Socks4 proxy at the affected device (unconfirmed, although Mikrotik devices use socks4) and uses HTTP pipelining (http/1.1) for DDoS attacks.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?