The Mēris botnet that was accelerating over the summer of 2021 summer is now attacking Yandex, the Russian internet giant. The wave of attacks has been lasting for a month and has reached unprecedented 21.8 million requests per second.
The term “Mēris” means plague in Latvian.
Tens of thousands of compromised devices make up this botnet and are its sources of this power. It is believed many of the devices are powerful networking equipment that are now compromised to run DDoS attacks.
This week, Yandex came under Russian media spotlight after being hit by a powerful DDoS attack. The media went on to describe it as the largest attack in the Russian history of the internet (Ru-Net). Yandex and Qrator Labs, its DDoS protection service partner, discovered this attack.
Yandex data observed that the attack was carried out from over 30,000 devices. Around 56,000 attacking hosts were responsible for the attack. The researchers, however, believe the number is close to 250,000 compromised devices.
“Yandex’ security team members managed to establish a clear view of the botnet’s internal structure. L2TP tunnels are used for internetwork communications. The number of infected devices, according to the botnet internals we’ve seen, reaches 250 000,” said Qrator Labs.
According to Qrator Lab’s blog post, the difference between the attacking force and its total infected hosts that form Mēris arises because the administrators do not wish to show off the botnet’s full power. The researchers also mentioned that Mēris’ compromised hosts are “not your typical IoT blinker connected to WiFi” but highly capable devices that require an Ethernet connection.
As we reported last month, Cloudflare revealed Mēris also caused the previous largest attack that peaked at 17.2 million requests per second.
The researchers also mentioned that many of the compromised devices belong to MikroTik. MicroTik is the Latvian networking equipment maker for all sizes of businesses.
