MikroTik Shared a Mitigation to Secure Routers From Massive Mēris DDoS Botnet Attack

Over the summer the routers that are compromised by the massive Mēris DDoS botnet could be now cleaned, since MikroTik, the Latvian network equipment manufacturer has shared the proper guide and information to do so.

As in recent times, we witnessed that how Yandex was encountering a huge DDoS attack that was conducted by the Mēris botnet. And this attack was designated as the most extensive as well as the most complicated DDoS attack in history till now.

But, Yandex and Qrator Labs reported a large reserve on Habré, on which they have submitted all the key details regarding the attack, and they have also pronounced that what exactly happened during the attack. While the power of this extensive DDoS attack was more than 20 million requests per second.

Mitigation Measures

Here’s the list of mitigation measures shared by MikroTik for all its customers, so that they can secure their compromised routers:-

  • Always, keep your MikroTik device updated, with regular upgrades.
  • Do not open access to your device from the internet side to everyone, in case you require remote access, only open reliable VPN services.
  • Always prefer a strong password.
  • Always keep changing your password from time to time. 
  • Don’t trust your local networks, as malware can try to connect to your router in case you have a weak password or no password.
  • Examine your RouterOS configuration for unknown settings.

IoT botnet on steroids

After the investigation, it’s been clear that the Mēris botnet has been behind this attack, and not only this but the botnet was behind two record-breaking volumetric DDoS attacks this particular year.

However, the first attack was mitigated by Cloudflare in August, and it has been asserted that it has reached 17.2 million request-per-second (RPS). 

In the case of the second attack, it was peaked at an unparalleled rate of 21.8 million RPS while striking Russian internet giant Yandex servers earlier this month.

Apart from this, the Mēris is a botnet that is obtained from Mirai malware code, and now they are managing approximately 250,000 devices, and it includes most of the MikroTik network gateways and routers.

History of attacks on Yandex

Here’s the full botnet’s history of attacks on Yandex:-

  • 2021-08-07 – 5.2 million RPS
  • 2021-08-09 – 6.5 million RPS 
  • 2021-08-29 – 9.6 million RPS
  • 2021-08-31 – 10.9 million RPS
  • 2021-09-05 – 21.8 million RPS

Recommended configuration

The security analysts at MikroTik recommended some immediate and important configurations to the users, and here they are mentioned below:-

  • System -> Scheduler rules that administer a Fetch script. Remove these. 
  • IP -> Socks proxy. If you don’t apply this feature or don’t know what it does, you should disable it. 
  • L2TP client entitled “VPN” or any L2TP client that you don’t remember. 
  • Input firewall rule that enables access for port 5678. 

Moreover, MikroTik has attempted to reach all users of RouterOS regarding this, but there are many of them who have never been in touch with MikroTik and are not actively patrolling their devices.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Posted by Charlie