A huge international botnet is expanding across IoT infrastructure (Internet of Things). The botnet appears to be concentrated among devices made by Latvian router manufacturer MikroTik, although all the vulnerabilities that have led to devices becoming infected is not yet known. Qrator named the botnet “M?ris”, which is the Latvian word for plague.
Largest ever botnet DDOS attack
GNTL cryptocurrency and mining pool operator BKDilse explains how he spotted a massive attack on Thursday morning starting at 9:05 GMT, with multiple attacks from multiples IPs (DDoS) blocking the common subnets on the GNTL Monero mining pool. The attack flooded the connection and killed the firewall and router. According to BKDilse, “The router managed to survive for about twenty minutes before closing the connection and killing the firewall-router system.”
The botnet is still growing rapidly, and the targets of the attack seem to be expanding. It has been reported to be the largest attack on Russian networks and Yandex ever, starting with a 5.2 million RPS (requests per second) attack in early August, with the size of the attack growing to 21.8 million RPS in early September. However, the initial reports also show attacks from this botnet on networks outside of Russia.
Cloudflare reported a massive attack targeting one of their customers in the financial service industry in July, then on a major telecommunications company and games company. Germany too, reported that nearly a million customers were experiencing outages from attacks against their routers in August.
The botnet likely relies heavily on the ever-expanding IoT (Internet of Things) infrastructure which has grown from the first internet-connected refrigerator in 200 to 6. 4 billion devices in 2016 to about 21.5 billion devices in 2021, creating more opportunities for botnets to infect and exploit vulnerable or unsecured devices.
Qrator reports that the specific features of the M?ris botnet:
- Socks4 proxy at the affected device (unconfirmed, although MikroTik devices use socks4)
- Use of HTTP pipelining (http/1.1) technique for DDoS attacks (confirmed)
- Making the DDoS attacks themselves RPS-based (confirmed)
- Open port 5678 (confirmed)
The DDoS attack uses HTTP pipelining, which allows a client to send multiple HTTP requests within a one connection without waiting for the corresponding responses. This is typically used to reduce network load by sending all the requests at once without needing to wait for each individual response, but in this case has been weaponised to overwhelm the connection, so all other traffic is prevented by the attack.
MikroTik reports that patching router vulnerabilities may still leave routers open to attack if passwords have been compromised, operators must ensure their password has been changed, firewalls do not allow remote access, and unidentified scripts should be removed. More information is available on MikroTik’s blog.
Ian MacRae is a work psychologist and author of six books including Dark Social: Understanding the darker side of work, personality and social media (Bloomsbury) which will be published November 11, 2021.
See more stories here.
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.
This news is republished from another source. You can check the original article here
Be the first to comment