The existence of a botnet called Mēris, which resurrected a large-scale DDoS attack in 2021, five years after 2016, is being pointed out by a joint study between QratorLabs, a Russian security company, and Yandex, a search company.
According to this, there have been virtually no attacks on applications worldwide in the last five years. However, it is not that botnets have become harmless, and that they have learned network layer attacks over the course of five years. Tens of thousands of host devices have been confirmed since June 2021 when the new botnet, Marys, was observed. The device is used in rotation, and since it has never attacked at once with all its power, the overall picture is unclear, but it can be seen that more than 200,000 units are included.
Some have described this botnet as the return of the Mirai botnet that performed an all-time DDoS attack in 2016, but Curator Lab has a rather negative view. One of the reasons is that the botnet is only made by Mikrotik, a Latvian network equipment manufacturer. For this reason, the botnet was given the name Meris, which means plague in Latvian.
What was confirmed by the Mary’s botnet was that it was using HTTP pipeline technology for DDoS attacks. When the DDoS attack itself is based on the RPS, port 5678 of the victim terminal is opened. Reportedly, DDoS attacks so far are bandwidth attacks measured in bps, sending a lot of junk traffic to the target. However, the RPS attack aims to seize resources by sending a large number of requests to the target server in a volume attack to process them, and finally crash the server. Prior to the DDoS attack that occurred in the summer of 2021, RPS-based attacks were not seen to be of this size.
It is not known what kind of vulnerability affects Mikrotik products, but there are many hacking damages in the forum that the router operating system is version 6.40.1 released in 2017. On the other hand, it can be seen that the data collected by Yandex is being damaged even in a relatively new version.
If you look at the distribution of operating system for damaged terminal routers shown by Curator Lab, the latest stable version was 6.48.4, but the previous version was 6.48.3.
Curator Lab believes that large-scale DDoS attacks that occurred in several countries in early summer of 2021, including the 17.2 million requests per second DDoS attack detected by Cloudflare, were caused by the Marys botnet. The Marys botnet is said to be able to overwhelm even a powerful infrastructure by its huge RPS.
The 17.2 million requests per second discovered by Cloudflare is also unprecedented, but according to Yandex, the attack received on September 5, 2021 was larger at 21.8 million requests per second. By analyzing the attack on Andex, it is said that the attack source confirmed that ports 2,000 and 5678 were both open. Among them, port 5678 is used by UDP for the Mikrotik discovery protocol, but it is said that the victim terminal was using TCP.
Based on the information, Curator Lab investigated port 5678 open to TCP and found that there were 328,723 active hosts on the Internet.
According to Curator Lab, the number of devices in question was 139,930 in the US, 42.6%, 61,994 in China, 18.9%, and 9,244 in Brazil, 2.8%. Curator Lab revealed this result to Mikrotik, stating that network devices should always be updated with the latest firmware. Related information can be found here.