A website stresser or booter is a DDoS-for-hire service that allows hackers with little experience and few resources to nevertheless mount devastating attacks against a target. Sophisticated website stressers are set up as software as a service (SaaS) offerings complete with free trials, video tutorials, email support, and subscription-based packages with pricing as low as $20 a month.
The Meris botnet is an incredibly powerful botnet operation that broke records in 2021 and 2022 for the size of the DDoS attacks it conducted. Meris was also notable for the number of infected devices it controlled (an estimated 250,000 routers) and for the volume of requests it could send — up to 46 million requests per second (RPS) in a 2022 attack on Google.
What is a botnet?
The term botnet is short for “robot network,” a group of computers or devices that have been infected with malicious software (malware) that allows them to be controlled by threat actors. Botnets may contain tens of thousands of devices that can be used to launch coordinated cyberattacks. Common uses for botnets include sending spam, stealing credit card information, engaging in click fraud campaigns, and generating enormous amounts of malicious traffic for DDoS attacks.
What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is designed to flood a machine or network with malicious traffic, making it unable to handle legitimate requests and rendering its services inaccessible to legitimate users. DDoS attacks frequently target a company’s website, web applications, APIs, network, data center, or DNS infrastructure. Hackers may conduct DDoS attacks in order to extort a business, to distract security teams away from other forms of cyberattacks, to seek revenge, to make a political statement, or purely for entertainment.
How does the Meris botnet work?
The Meris DDoS botnet exploits a vulnerability in the operating system (RouterOS) of routers made by the Latvian company MikroTik, which also produces Wi-Fi access points, IoT gateways, switches, and other equipment. “Meris” is the Latvian word for plague.
To carry out DDoS attacks, Meris focuses volumetric attacks on the application layer. The Meris botnet sends an overwhelming volume of RPS to a target server to overwhelm its CPU and memory resource capacity. With more than 250,000 routers under its control, the botnet can easily launch multi-terabit-sized volumetric DDoS attacks that can break all records for the size of an attack.
Experts believe that attackers can proxy requests from other devices to the infected routers to conceal the origin of the attack. The Meris botnet also uses HTTP pipelining, which allows a single connection to transmit multiple requests without needing to wait for a server to send a response, helping to boost the RPS of the botnet.
To build a more powerful botnet, it’s believed that Meris abused a patched vulnerability of the MikroTik devices (CVE-2018-14847) and reconfigured the operating system used by MikroTik routers to allow for remote access. This attack was successful even with some patched MikroTik routers, since to protect routers from becoming part of the botnet, security teams needed also to change the password and update the firewall.
How powerful is the Meris botnet?
In 2021, researchers estimated that the Meris botnet comprised more than 250,000 devices, and that an additional 40,000+ devices were still exposed to the vulnerability. The size of the Meris botnet enables it to penetrate massive networks, such as internet service providers (ISPs).
With 250,000+ devices, the maximum capacity of Meris could be a record-breaking 110 million requests per second. In comparison, the previous largest measured DDoS attack in history only had roughly 20% of the capabilities of Meris.
The Meris botnet has surpassed one of the most notorious botnets, Mirai, which infected hundreds of thousands of IoT devices. However, Mirai was limited by the small amount of computational power and limited networking capabilities of the IoT devices. In contrast, Meris uses an army of routers with much more processing power and better data transfer capabilities than IoT devices. The technology behind the Meris botnet suggests that its hackers have access to considerable processing power and high-speed Ethernet, making Meris a far more potent threat to organizations that are not protected by cloud-based DDoS mitigation.
What companies have been targeted?
The Meris botnet has been used to target a broad range of companies. The large number of attacks have been directed at businesses in the banking, financial services, and insurance (BFSI) industry. Notable attacks include:
- An attack on Krebs on Security that reached over 2 million RPS
- Suspected attacks on the search engine Yandex
- A suspected attack on cloud company Cloudflare, which recorded 17.2 million RPS
- A suspected attack in June 2022 against Google that ramped up from 100,000 RPS to 46 million RPS within one hour, which made it the largest Layer 7 DDoS attack reported in history
How can companies defend against the Meris botnet?
To protect against the Meris botnet and other DDoS attacks, security teams can deploy multiple layers of cybersecurity protection, including a DNS firewall, API protection, a web application firewall and comprehensive DDoS protection solutions with dedicated defense capacity to block attacks at the very edge of an organization’s network before the attacks cause any damage. Security solutions should include protection for websites, applications, APIs, DNS infrastructure (including authoritative DNS nameservers, GSLB, etc.), and network infrastructure.
A powerful DDoS protection solution should offer a thorough approach that uses dedicated defense capacity, automated mitigation workflows, a combination of machine and human intelligence, and the flexibility of being deployed on-prem, in cloud, or hybrid for comprehensive and effective DDoS protection.
Frequently Asked Questions (FAQ)
A botnet, or robot network, is a network of computers infected by malware that allow cybercriminals to control them. The person controlling the botnet is called an “bot herder” and each infected machine is called a bot. Botnets may comprise computers, servers, Internet of Things (IoT) devices, and other types of machines.
To launch botnet attacks, A bot herder sends commands to bots from a command and control server, directing the bots to perform actions like scanning other machines for vulnerabilities, delivering malware, spreading ransomware, mining for cryptocurrency, making purchases for ticket scalping outfits, sending out phishing and spam emails, or offering website stresser services.
Why customers choose Akamai
Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.