What we Learned from the Biggest DDoS Attack to Date: 22 Million Requests Per Second

What we Learned from the Biggest DDoS Attack to Date: 22 Million Requests Per Second

Russian internet giant Yandex recently announced that it was hit by a record-breaking distributed denial-of-service (DDoS) attack.

“Our experts did manage to repel a record attack of nearly 22 million requests per second,” Yandex said in a statement. “This is the biggest known attack in the history of the internet.”

Mēris Botnet

In the blog post “Mēris botnet, climbing to the record,” DDoS mitigation service Qrator Lab reported that from August 7 to September 5 of this year, it recorded 5 DDoS attacks at Yandex from a botnet dubbed as "Mēris," which means "Plague" in the Latvian language. The five DDoS attacks at Yandex, Qrator Lab said, started from 5.2 million requests per second (RPS) and culminated at 21.8 million RPS.

In a DDoS attack, multiple internet-connected computers are operating as one to attack a particular target. In launching a DDoS attack, attackers often use a botnet – a group of hijacked internet-connected computers and controlled by attackers to conduct malicious activities such as DDoS attacks.

In a DDoS attack, the hijacked internet-connected computers are also attacked victims. The use of hijacked internet-connected computers results in exponentially increasing the attack power via voluminous requests sent to the target, and resulting in the initial hiding of the true source of the attack.

According to Qrator Lab, the number of infected internet-connected computers reached 250,000, and these infected internet-connected computers or devices come from only one manufacturer: Mikrotik, a Latvian network equipment manufacturer.

Qrator Lab added that the Mēris botnet used the HTTP pipelining technique in launching the DDoS attacks. “Requests pipelining (in HTTP 1.1) is the primary source of trouble for anyone who meets that particular botnet,” Qrator Lab said. “Because of the request pipelining technique, attackers could squeeze much more RPS than botnets usually do. It happened because traditional mitigation measures would, of course, block the source IP. However, some requests (about 10-20) left in the buffers are processed even after the IP is blocked.”

Based on the botnet’s attacking sources (IP addresses), Qrator Lab said that 10.9% came from Brazil, 10.9% from Indonesia, 5.9% from India, 5.2% from Bangladesh, 3.6 from Russia, and 3.3% from the United States.

In the last couple of weeks, Qrator Lab said that it has observed devastating DDoS attacks towards New Zealand, United States and Russia, which is attributed to the Mēris botnet species. “Now it can overwhelm almost any infrastructure, including some highly robust networks,” Qrator Lab said. “All this is due to the enormous RPS power that it brings along.”

Mirai Botnet

Prior to the DDoS attack at Yandex, the record-breaking DDoS attack was launched by a powerful botnet, targeting a Cloudflare customer in the financial industry. The attack reached 17.2 million requests per second.

According to Cloudflare, the said DDoS attack came from more than 20,000 bots in 125 countries around the world. Based on the botnet’s attacking sources (IP addresses), almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined.

Cloudflare said the attack was launched via a Mirai botnet. The botnet Mirai, which means “future” in Japanese, was first discovered in 2016. The Mirai botnet infects Linux-operated devices such as security cameras and routers. This botnet infects Linux-operated devices such as security cameras and routers by brute forcing known credentials such as factory default usernames and passwords. Succeeding variants of the Mirai botnet took advantage of zero-day exploits.

According to Qrator Lab researchers, they haven’t seen the malicious code, and as such, they aren’t ready to tell yet if it’s somehow related to the Mirai botnet family or not.

Preventative measures against DDoS attacks

In order to prevent your organization’s internet-connected computers or devices from being hijacked as part of a botnet, it’s important to follow these cybersecurity best practices:

• Keep these computers or devices up to date
• Use strong passwords and regularly change these passwords
• Use firewall to prevent remote access to unknown parties

According to MikroTik, Mēris botnet compromised the same routers that were compromised in 2018 via a known security vulnerability that was quickly patched. The 2018 vulnerability that was referred to is CVE-2018-14847, a MikroTik RouterOS security vulnerability that allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.

“Unfortunately, closing the vulnerability does not immediately protect these routers,” MikroTik said. “If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.”

DDoS attacks, even volumetric attacks, can now be prevented autonomously, without human intervention.