There’s a new cyber threat in town — and it may be the worst of its kind since 2016’s Mirai, a piece of malware, which transformed thousands of Linux devices into remote-control bots for massive network attacks.
Like Mirai, Meris refers to large-scale botnet malware that has been used to carry out some devastating cyber attacks. Although Meris only recently emerged, it’s already infected around a quarter of a million devices, the majority of the networking devices made by the Latvian company MikroTik. It has been used for some of the largest DDoS (Distributed Denial of Service) attacks in history, targeting victims in the United States, Russia, and New Zealand.
The largest of these attacks, tipping the scale at an astronomical 21.8 million RPS (requests per second), was aimed at Yandex, a search engine considered Russia’s answer to Google. The attack flooded Yandex with an enormous amount of HTTP requests simultaneously in a DDoS technique referred to as HTTP pipelining, designed to overwhelm online services and make them impossible to access.
In HTTP pipelining, a browser is made to request massive numbers of HTTP request connections for webpages without giving any kind of pause.
The Meris attack
Meris tapped into security vulnerabilities that exist in unpatched MikroTik hardware. Although the vulnerability was actually plugged back in 2018, not everyone updates their firmware rapidly enough (or, perhaps, at all) in order to safeguard against this vulnerability being exploited. That allows attacks like this to proliferate.
A DDoS attack, the broad category of attack to which HTTP pipelining belongs, encompasses multiple different strategies. But first of all, what is DDoS? Simply put, what unifies the different forms of attack is the goal of knocking online services or websites offline by bombarding them with large amounts of fraudulent traffic. This is equivalent to directing large numbers of cars down a residential street. While such a street could accommodate traffic up to a certain point, at a critical juncture it would grind to a gridlock halt. This would make it inaccessible to those who wanted to use the infrastructure for legitimate reasons.
Botnets such as the one in the Meris attack make DDoS incidents possible on a once-unimaginable scale because they allow attackers to seize control of internet-connected devices and to use these as, in essence, “sleeper agents” to be activated whenever required. Infected by malware, the rightful owners of these routers and Internet of Things (IoT) devices may never even realize what’s happening: perhaps just occasionally experiencing unaccountably impaired performance for one of their devices.
Protect yourself
Protecting against Meris is something that many organizations will be keen to do right now amid the wave of horror stories regarding attacks. Fortunately, there is a way to keep MikroTik networks safe, even when they use devices like the routers being targeted by the malware.
Users should start by ensuring that their device — commonly a router — is updated to the latest firmware available, and make it a priority to update regularly going forward. They should also follow the best practices step of disabling remote access to this device unless it is a necessity — and, even then, using a VPN channel to protect it. In addition, they should ensure that they utilize strong passwords, containing a mixture of symbols, letters, digits, and upper and lower case. This, too, should be changed regularly.
This is all smart advice to avoid being swept up in the Meris botnet. However, there is also the challenge of being targeted by a DDoS attack, which none of these steps would protect against. Any organization should take proactive steps to safeguard this area as well. Fortunately, the tools are there to help defend against being the victim of a DDoS attack.
One powerful defense is called Web Application Firewalls (WAFs), which functions by blocking bad traffic while continuing to allow filtered traffic to pass through to its chosen destination. This means stopping bad actors in their tracks but letting legitimate customers operate as normal without a problem. Organizations should also take steps to protect themselves against big volumetric attacks using scrubbing centers that are able to cope with high-volume flood attacks without faltering.
The future of DDoS
DDoS attacks are not going away. Attacks are becoming more frequent (partly due to the lower barrier to entry, as seen with botnets-for-hire), larger, and longer-lasting. This poses a major threat to organizations. In some cases, DDoS attackers may use the threat of attacks to extort money from targets. In an age in which the world relies upon, more than ever, on connected infrastructure for everything from work to entertainment to education, the threat of DDoS attacks is only going to get worse — which is, of course, exactly why attackers know they’re so effective.
Protecting against them should be an urgent priority for every organization. And that goes for Meris and beyond.
