Friday, September 10, 2021

Microtik-based botnet on the rise - being used for DDoS

Devices in the botnet apparently running latest stable too. Some excerpts from Qrators blog post include:

"In the last couple of weeks, we have seen devastating attacks towards New Zealand, United States and Russia, which we all attribute to this botnet species. Now it can overwhelm almost any infrastructure, including some highly robust networks. All this is due to the enormous RPS power that it brings along."

Specific features of MÄ“ris botnet:

  • Socks4 proxy at the affected device (unconfirmed, although Mikrotik devices use socks4)
  • Use of HTTP pipelining (http/1.1) technique for DDoS attacks (confirmed)
  • Making the DDoS attacks themselves RPS-based (confirmed)
  • Open port 5678 (confirmed)

More info:

https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/

Cloudflare blog on an attack:

https://blog.cloudflare.com/cloudflare-thwarts-17-2m-rps-ddos-attack-the-largest-ever-reported/



No comments:

Post a Comment