Friday, June 13, 2025
HomeDDOSMikroTik Shared a Mitigation to Secure Routers From Massive Mēris DDoS Botnet...

MikroTik Shared a Mitigation to Secure Routers From Massive Mēris DDoS Botnet Attack

Published on

SIEM as a Service

Follow Us on Google News

Over the summer the routers that are compromised by the massive Mēris DDoS botnet could be now cleaned, since MikroTik, the Latvian network equipment manufacturer has shared the proper guide and information to do so.

As in recent times, we witnessed that how Yandex was encountering a huge DDoS attack that was conducted by the Mēris botnet. And this attack was designated as the most extensive as well as the most complicated DDoS attack in history till now.

But, Yandex and Qrator Labs reported a large reserve on Habré, on which they have submitted all the key details regarding the attack, and they have also pronounced that what exactly happened during the attack. While the power of this extensive DDoS attack was more than 20 million requests per second.

- Advertisement - Google News

Mitigation Measures

Here’s the list of mitigation measures shared by MikroTik for all its customers, so that they can secure their compromised routers:-

  • Always, keep your MikroTik device updated, with regular upgrades.
  • Do not open access to your device from the internet side to everyone, in case you require remote access, only open reliable VPN services.
  • Always prefer a strong password.
  • Always keep changing your password from time to time. 
  • Don’t trust your local networks, as malware can try to connect to your router in case you have a weak password or no password.
  • Examine your RouterOS configuration for unknown settings.

IoT botnet on steroids

After the investigation, it’s been clear that the Mēris botnet has been behind this attack, and not only this but the botnet was behind two record-breaking volumetric DDoS attacks this particular year.

However, the first attack was mitigated by Cloudflare in August, and it has been asserted that it has reached 17.2 million request-per-second (RPS). 

In the case of the second attack, it was peaked at an unparalleled rate of 21.8 million RPS while striking Russian internet giant Yandex servers earlier this month.

Apart from this, the Mēris is a botnet that is obtained from Mirai malware code, and now they are managing approximately 250,000 devices, and it includes most of the MikroTik network gateways and routers.

History of attacks on Yandex

Here’s the full botnet’s history of attacks on Yandex:-

  • 2021-08-07 – 5.2 million RPS
  • 2021-08-09 – 6.5 million RPS 
  • 2021-08-29 – 9.6 million RPS
  • 2021-08-31 – 10.9 million RPS
  • 2021-09-05 – 21.8 million RPS

Recommended configuration

The security analysts at MikroTik recommended some immediate and important configurations to the users, and here they are mentioned below:-

  • System -> Scheduler rules that administer a Fetch script. Remove these. 
  • IP -> Socks proxy. If you don’t apply this feature or don’t know what it does, you should disable it. 
  • L2TP client entitled “VPN” or any L2TP client that you don’t remember. 
  • Input firewall rule that enables access for port 5678. 

Moreover, MikroTik has attempted to reach all users of RouterOS regarding this, but there are many of them who have never been in touch with MikroTik and are not actively patrolling their devices.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Major Outage Hits Google Cloud and Linked Cloudflare Services, Thousands Affected

On June 12, 2025, concurrent infrastructure failures at Cloudflare and Google caused widespread service...

TokenBreak Exploit Tricks AI Models Using Minimal Input Changes

HiddenLayer’s security research team has uncovered TokenBreak, a novel attack technique that bypasses AI...

WebDAV Remote Code Execution 0-Day Actively Exploited — PoC Released

A critical zero-day vulnerability in Microsoft’s Web Distributed Authoring and Versioning (WebDAV) protocol, tracked...

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

New Eleven11bot Hacks 86,000 IP Cameras for Large-Scale DDoS Attack

The newly identified Eleven11bot malware has compromised over 86,000 IP cameras across the Asia-Pacific...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

Europol Dismantles DDoS-for-Hire Network and Arrests Four Administrators

Significant blow to cybercriminal infrastructure, Europol has coordinated an international operation resulting in the...