Friday, December 20, 2024
HomeDDOSMikroTik Shared a Mitigation to Secure Routers From Massive Mēris DDoS Botnet...

MikroTik Shared a Mitigation to Secure Routers From Massive Mēris DDoS Botnet Attack

Published on

SIEM as a Service

Over the summer the routers that are compromised by the massive Mēris DDoS botnet could be now cleaned, since MikroTik, the Latvian network equipment manufacturer has shared the proper guide and information to do so.

As in recent times, we witnessed that how Yandex was encountering a huge DDoS attack that was conducted by the Mēris botnet. And this attack was designated as the most extensive as well as the most complicated DDoS attack in history till now.

But, Yandex and Qrator Labs reported a large reserve on Habré, on which they have submitted all the key details regarding the attack, and they have also pronounced that what exactly happened during the attack. While the power of this extensive DDoS attack was more than 20 million requests per second.

- Advertisement - SIEM as a Service

Mitigation Measures

Here’s the list of mitigation measures shared by MikroTik for all its customers, so that they can secure their compromised routers:-

  • Always, keep your MikroTik device updated, with regular upgrades.
  • Do not open access to your device from the internet side to everyone, in case you require remote access, only open reliable VPN services.
  • Always prefer a strong password.
  • Always keep changing your password from time to time. 
  • Don’t trust your local networks, as malware can try to connect to your router in case you have a weak password or no password.
  • Examine your RouterOS configuration for unknown settings.

IoT botnet on steroids

After the investigation, it’s been clear that the Mēris botnet has been behind this attack, and not only this but the botnet was behind two record-breaking volumetric DDoS attacks this particular year.

However, the first attack was mitigated by Cloudflare in August, and it has been asserted that it has reached 17.2 million request-per-second (RPS). 

In the case of the second attack, it was peaked at an unparalleled rate of 21.8 million RPS while striking Russian internet giant Yandex servers earlier this month.

Apart from this, the Mēris is a botnet that is obtained from Mirai malware code, and now they are managing approximately 250,000 devices, and it includes most of the MikroTik network gateways and routers.

History of attacks on Yandex

Here’s the full botnet’s history of attacks on Yandex:-

  • 2021-08-07 – 5.2 million RPS
  • 2021-08-09 – 6.5 million RPS 
  • 2021-08-29 – 9.6 million RPS
  • 2021-08-31 – 10.9 million RPS
  • 2021-09-05 – 21.8 million RPS

Recommended configuration

The security analysts at MikroTik recommended some immediate and important configurations to the users, and here they are mentioned below:-

  • System -> Scheduler rules that administer a Fetch script. Remove these. 
  • IP -> Socks proxy. If you don’t apply this feature or don’t know what it does, you should disable it. 
  • L2TP client entitled “VPN” or any L2TP client that you don’t remember. 
  • Input firewall rule that enables access for port 5678. 

Moreover, MikroTik has attempted to reach all users of RouterOS regarding this, but there are many of them who have never been in touch with MikroTik and are not actively patrolling their devices.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Europol Shutsdown 27 DDoS Service Provider Platforms

In a major international operation codenamed “PowerOFF,” Europol, collaborating with law enforcement agencies across...

Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

Attackers are exploiting publicly exposed Docker Remote API servers to deploy Gafgyt malware by...