Posted on September 17, 2021 at 8:11 PM

Russian Internet Giant Suffers Largest DDoS Attack in History

A Russian internet giant, Yandex, has suffered a major Distributed Denial of Service (DDoS) attack. The attack lasted for several days and occurred between August and September. Following the attack, around 22 million requests per second (RPS) were detected.

Vedomosti, a local publication, made public the attack, noting that it is the largest DDoS attack in history. Cloudflare, a cybersecurity company, also confirmed the attack. It stated that the only other major DDoS attack happened at 17.2 million RPS. Yandex broke this record after registering 21.8 million RPS on September 5. This increased from the 5.2 million RPS registered on August 7.

The attack is believed to have happened after the company purchased a new botnet leveraging network equipment from a Baltic vendor.

No data was compromised

The internet giant faced a hard time managing and getting rid of the attack. However, the company failed to offer additional details on the attack because an audit analysis was underway. However, it confirmed that user details were not affected by the attack. The publication by Vedomosti also stated that the attack posed a threat to the national infrastructure. 

It is yet to be determined whether the strong measures put in place to govern the Russian internet played a role in boosting the firm’s resiliency. Russia’s unique internet design protects it from global internet shutdown and provides a central point of control by the Kremlin.

Yandex has stated that a new botnet named Meris caused the attack. The claim was also supported by Qrator Labs, Yandex’s DDoS protection provider.

Meris is a name that translates to “plague” in Latvian. Meris is a DDoS botnet made up of around 30,000 devices that have been compromised. The recent data from Yandex about the attack shows that around 56,000 compromised hosts were involved. Hence, it has prompted experts to believe that the affected devices on the Merit botnet could reach 250,000.

Qrator Labs published a blog post stating that the full extent of the Meris botnet was still unclear. It is not the first time that the Meris botnet has been used. It has been previously used in launching DDoS attacks against financial firms in the US, UK, Russia and New Zealand.

Operators behind the botnet exploited it and sent emails to demand ransom. They also threatened to conduct more DDoS attacks on organizations that could not operate with any downtime.

Saryu Nayyar, the CEO at Gurucul, stated that “Companies that are vulnerable to DDoS attacks can counter them through measures like maintaining alternative DNS locations and detecting attacks early so they can be mitigated. Using risk analysis tools can enable organizations to identify such attacks immediately and counter them before they completely close down the web presence.”

Meris Botnet Used to Attack MikroTik Devices

Researchers also noted that the Meris botnet was an advanced device that required an ethernet connection for it to work. The researchers also stated that the botnet exploits HTTP pipelining DDoS attack technique that requires a port and a proxy. The botnet conducts large volumes of DDoS attacks to crash the server.

Experts state that the botnet is mainly used to attack devices that have open ports 2000 and 5678. MikroTik uses Port 5678 for the Neighbor Discovery Protocol. Experts also state that Mikrotik devices offer services using the User Datagram Protocol (UDP), but the affected devices used the Transmission Control Protocol (TCP). 

Commenting on this, Qrator stated that, “Although Mikrotik uses UDP for its standard service on port 5678, an open TCP port is detected on compromised devices – This kind of disguise might be one of the reasons devices got hacked unnoticed by their owners.”

Around 328,000 devices have open port 5678. Nevertheless, this port is used by Mikrotik devices and has also been used by Linksys for TCP transmission.

On its end, MikroTik stated that it was not aware of the vulnerability that caused the DDoS attack. Nevertheless, it admitted that most of its devices operated on the outdated firmware containing the CVE-2018-14847 vulnerability.

However, Yandex stated that the attack also happened on MikroTik devices using new firmware with 6.48.3 and 6.48.4. Cloudflare has added that the Meris botnet was created from previous versions of the Mirai DDoS malware used for bandwidth attacks.

Speaking on ways to mitigate such attacks, Bill Lawrence, the CISO at SecurityGate, stated that, “While ransomware attacks have stolen headlines recently, those (and DDoS) are included in proposed legislation to drive up cyber security reporting by critical infrastructure owners and operators to CISA (the Cybersecurity and Infrastructure Security Agency) within DHS.”