Meris (botnet)

2021: Yandex reveals details of the "largest in history" DDoS attack Mæris

On September 9, 2021, Yandex revealed the details of the DDoS attack, which the company called "the largest in history." It is reported that the cyber attack was carried out using the new botnet Mæris ("plague" in Latvian).

According to the Yandex blog on the Khabr site, Yandex and Qrator Labs began to notice signs of a "new attacking force in the global network" at the end of June 2021. The discovered botnet already had significant scales - tens of thousands of devices, but their number is growing rapidly by September 9, 2021.

According to Yandex, "the full strength of the botnet is not visible due to the rotation of devices and the lack of desire of attackers to show all the available power." The situation indicates that "the vulnerability was either kept secret before the start of the full-scale campaign, or was sold on the black market."

Yandex reveals details of the "largest in history" DDoS attack Mæris

The power of the DDoS attack was almost 22 million RPS (the number of requests per second), which is a record - at least it is not known about the larger cyber attacks. The attack, in which hackers tried to score the network with huge amounts of data to stop its work, began in August 2021. The record was set a month later. The Company provides the following data:

Yandex attributed the following to the features of the Mæris botnet:

• Use pipeline processing (pipelining in HTTP/1.1) to organize DDoS attacks (confirmed);
• Attacks are oriented to RPS operation (confirmed);
• Open port 5678 (confirmed);
• SOCKS4 proxy on an infected device (not confirmed, but the company stated its confidence that Mikrotik devices use SOCKS4).

The company estimated that Măris consists of at least 56 thousand infected devices, but suggests that their number is much larger - more than 200 thousand devices. According to Yandex, the botnet was used for large DDoS attacks in New Zealand, the USA and Russia.^[1]

Notes