The Russian internet service provider Yandex admitted that it had sustained a Distributed Denial-of-Service (DDoS) attack that temporarily affected its operations. The attack is denominated as the largest DDoS attack in the history of the Russian Internet (RuNet). Security experts claim that the attack was implemented via a new botnet tracked as Meris.
RuNet is the Russian internet infrastructure created to provide internet services in the territory of Russia. Also known as the Russian-language Internet, RuNet provides a unified country-wide Internet and communications and shields the country from foreign adversaries.
“Yandex did indeed undergo a DDoS attack, which was repelled by our network infrastructure and system for filtering unwanted requests. The attack did not affect the operation of the services, user data was not affected,” Yandex said in a media statement.
Meris Botnet
In a DDoS attack, cybercriminals make a targeted network or service unavailable to its users by flooding it with unwanted incoming traffic from different sources. Joint research from Yandex and Qrator Labs revealed that the DDoS attack power was more than 20 million requests per second (RPS), affecting over 30,000 host devices. Yandex observed that the attack on its servers relied on 56,000 attacking hosts, which might have compromised over 250,000 devices.
“We suppose the number to be higher – probably more than 200,000 devices, due to the rotation and absence of will show the ‘full force’ attacking at once. Moreover, all those being competent devices, not your typical IoT blinker connected to Wi-Fi – here we speak of a botnet consisting of, with the highest probability, devices connected through the Ethernet connection – network devices, primarily,” the research stated.
The DDoS mitigation services provider Cloudflare also mentioned that the attack reached over 17 million requests per second.
Features of Meris Botnet:
- Socks4 proxy at the affected device
- Use of HTTP pipelining technique to launch DDoS attacks
- Making the DDoS attacks themselves RPS-based
- Open port 5678 enabled
It is found that several Meris botnet–based DDoS attacks are primarily reported in New Zealand, the U.S., and Russia.
Timeline of Botnet Attacks on Yandex
This is not the first time for Yandex to suffer an attack from Meris botnet. The history of attacks from the same botnet against Yandex were reported on:
- 2021-08-07 – 5.2 million RPS
- 2021-08-09 – 6.5 million RPS
- 2021-08-29 – 9.6 million RPS
- 2021-08-31 – 10.9 million RPS
- 2021-09-05 – 21.8 million RPS
DDoS Attacks on Rise
From small businesses to the largest enterprises, all kinds of industries encounter DDoS attacks once in a while and are growing at a rapid pace. The Meris botnet could grow in force to cause even more severe disruptions via various kinds of attacks exploiting the vulnerabilities in the system.
Alexander Lyamin, CEO of Qrator Labs, said, “The victims of these attacks are different, but the perpetrator, apparently, is the same, and he operates a botnet that has recently appeared in the industry. Some industry players have already announced that the Mirai botnet, which made a splash five years ago and was built on the basis of video cameras, has returned. Having devoted the last few weeks to studying the new botnet, we can say that a completely new botnet has appeared and it is built on the network equipment of a very popular vendor from the Baltic States. It spreads through a vulnerability in firmware and already numbers up to hundreds of thousands of infected devices.”