Yandex application icons on a mobile phone screen showing DDoS attack by Meris botnet

Russian Internet Giant Yandex Wards off the Largest Botnet DDoS Attack in History

The Russian internet giant Yandex experienced an extreme Distributed Denial of Service (DDoS) attack for several days, in August and September. The attack recorded at about 22 million requests per second (RPS) is believed to be the largest DDoS attack in the history of the internet, according to the Russian publication Vedomosti.

Cyber security company Cloudflare confirmed the attack adding that the worst volumetric DDoS attack it ever recorded was 17.2 million RPS. However, Yandex DDoS broke this record reaching 21.8 million RPS on Sep 5, up from 5.2 million on Aug 7.

The attack was attributed to a new botnet leveraging network equipment from a vendor located in the Baltic region.

No data was compromised in the Yandex DDoS attack

Yandex had a difficult moment warding off the attack, according to Vedomosti quoting internal sources. Although the company declined to provide more information because of an ongoing internal audit, user data and services were not affected. The Russian publication, however, described the attack as a threat to national infrastructure.

It’s difficult to determine if the unique design of the Russian Internet was responsible for resiliency. The segment was designed to withstand global internet shutdown and provide a centralized control point for the Kremlin.

Meris botnet responsible for the Yandex DDoS attack

Yandex and its DDoS protection provider Qrator Labs said that a new botnet called Meris was responsible for the DDoS attack.

Meris, translating to “plague” in Latvian, is a DDoS botnet consisting of at least 30,000 compromised devices.

However, data collected from Yandex servers shows that the recent Yandex DDoS attack involved more than 56,000 hosts. Experts believe that the number of devices infected with the Meris botnet could reach 250,000.

Qrator Labs, however, said in a blog post that the full power of the Meris botnet was still unknown.

This is hardly the first time that the botnet was deployed. It was used in DDoS extortion campaigns against financial institutions in the U.S., U.K., Russia, and New Zealand. The botnet operators sent emails demanding ransom, threatening massive DDoS attacks on organizations that can’t afford any downtime.

“DDOS remains an unsophisticated but popular way of preventing access to select Web destinations,” Saryu Nayyar, CEO at Gurucul.

“Companies that are vulnerable to DDOS attacks can counter them through measures like maintaining alternative DNS locations and detecting attacks early so they can be mitigated. Using risk analysis tools can enable organizations to identify such attacks immediately and counter them before they completely close down the web presence.”

Meris botnet exploits MikroTik devices

The researchers noted that the Meris botnet was not “your typical IoT blinker” but a highly capable device that requires an ethernet connection.

They added that the botnet uses the HTTP pipelining DDoS attack technique and requires a SOCKS4 proxy and port 5678. Meris botnet executes application-layer or volumetric DDoS attacks to overwhelm server resources, eventually crashing them. Most of the exploited devices had ports 2000 and 5678 open.

MikroTik devices manufactured by a Latvian company uses Port 5678 for MikroTik Neighbor Discovery Protocol. They also discovered that although MikroTik devices provided their services through the User Datagram Protocol (UDP), the compromised devices had an open Transmission Control Protocol (TCP).

“Although Mikrotik uses UDP for its standard service on port 5678, an open TCP port is detected on compromised devices,” Qrator wrote. “This kind of disguise might be one of the reasons devices got hacked unnoticed by their owners.”

An internet search for open port 5678 returned at least 328,000 devices. However, the port was not exclusive to MikroTik devices as Linksys used the same port for TCP transmission.

MikroTik says it was unaware of any vulnerability leading to the DDoS attack. However, it admitted that most of its devices run outdated firmware with the widely-exploited CVE-2018-14847 vulnerability patched in Apr 2018.

Yandex says the attack also originated from MikroTik devices running newer firmware, including 6.48.3 and 6.48.4. Despite its reliance on volumetric attacks, Cloudflare says Meris botnet was customized from old versions of Mirai DDoS malware responsible for bandwidth attacks.

“It will be interesting to see how big this distributed denial of service attack turns out to be, relative to the attacks seen in the West,” Bill Lawrence, CISO at SecurityGate. “While ransomware attacks have stolen headlines recently, those (and DDoS) are included in proposed legislation to drive up cyber security reporting by critical infrastructure owners and operators to CISA (the Cybersecurity and Infrastructure Security Agency) within DHS. Hopefully, that will have a positive damping effect on DDoS attacks in the US.”