Largest ever botnet DDOS attack continues to grow in 2021 and attack new targets

A huge international botnet is expanding across IoT infrastructure (Internet of Things). The botnet appears to be concentrated among devices made by Latvian router manufacturer MikroTik, although all the vulnerabilities that have led to devices becoming infected is not yet known. Qrator named the botnet “M?ris”, which is the Latvian word for plague.

Largest ever botnet DDOS attack

GNTL cryptocurrency and mining pool operator BKDilse explains how he spotted a massive attack on Thursday morning starting at 9:05 GMT, with multiple attacks from multiples IPs (DDoS) blocking the common subnets on the GNTL Monero mining pool. The attack flooded the connection and killed the firewall and router. According to BKDilse, “The router managed to survive for about twenty minutes before closing the connection and killing the firewall-router system.”

The botnet is still growing rapidly, and the targets of the attack seem to be expanding. It has been reported to be the largest attack on Russian networks and Yandex ever, starting with a 5.2 million RPS (requests per second) attack in early August, with the size of the attack growing to 21.8 million RPS in early September. However, the initial reports also show attacks from this botnet on networks outside of Russia.

Cloudflare reported a massive attack targeting one of their customers in the financial service industry in July, then on a major telecommunications company and games company. Germany too, reported that nearly a million customers were experiencing outages from attacks against their routers in August.

The botnet likely relies heavily on the ever-expanding IoT (Internet of Things) infrastructure which has grown from the first internet-connected refrigerator in 200 to 6. 4 billion devices in 2016 to about 21.5 billion devices in 2021, creating more opportunities for botnets to infect and exploit vulnerable or unsecured devices.

Qrator reports that the specific features of the M?ris botnet:

• Socks4 proxy at the affected device (unconfirmed, although MikroTik devices use socks4)
• Use of HTTP pipelining (http/1.1) technique for DDoS attacks (confirmed)
• Making the DDoS attacks themselves RPS-based (confirmed)
• Open port 5678 (confirmed)

The DDoS attack uses HTTP pipelining, which allows a client to send multiple HTTP requests within a one connection without waiting for the corresponding responses. This is typically used to reduce network load by sending all the requests at once without needing to wait for each individual response, but in this case has been weaponised to overwhelm the connection, so all other traffic is prevented by the attack.

MikroTik reports that patching router vulnerabilities may still leave routers open to attack if passwords have been compromised, operators must ensure their password has been changed, firewalls do not allow remote access, and unidentified scripts should be removed. More information is available on MikroTik’s blog.

Ian MacRae is a work psychologist and author of six books including Dark Social: Understanding the darker side of work, personality and social media (Bloomsbury) which will be published November 11, 2021.

See more stories here.