Introduction

Modern cybersecurity is constantly evolving and sharing experience, it is for this reason that most of today’s specialists skillfully react to any of DDoS attacks against companies, but unfortunately, unpredictable situations occur where a new object appears, previously unknown, and hope remains with the specialists who are forced to look for a solution so that the company continues its work and this does not affect the end user, who has little interest in the reasons, but is interested in the stability of the company.

This month has brought a new subject for cybersecurity professionals to research. A new record was set for the power of DDoS attacks, which is 21.8 million requests per second. The previous record was 17.2 million requests per second, and it is also associated with a new object, which was named “Plague” in Latvian because “MicroTik” devices took part in the attacks.

“Meris”, the new botnet, is also possibly involved in the attacks on the New Zealand government this summer, as well as in the recent attacks on Russian banks a few days ago. However, there is a version, which now has no confirmation that “Meris” is associated with “Mirai”, who this year turns five years from the moment of creation.

How it works?

According to experts from “Qrator Labs”, as well as “Yandex”, the company that has undergone the most powerful attack in recent years suggests that there may be more than two hundred thousand devices in the presence of hackers, and this figure will increase over time using possible brute force technology. It is also known that these attacks involve high-performance “IoT-devices” that can be connected via an Ethernet connection, respectively, being network devices.

They also have special characteristics:

  • Socks4 proxy at the affected device (unconfirmed, although “Mikrotik” devices use socks4)
  • Use of HTTP pipelining (http/1.1) technique for DDoS attacks (confirmed)
  • Making the DDoS attacks themselves RPS-based (confirmed)
  • Open port 5678 (confirmed)

The technology chosen to attack the new botnet was ”HTTP pipelining” is a feature of HTTP/1.1 which allows multiple HTTP requests to be sent over a single TCP (transmission control protocol) connection without waiting for the corresponding responses. More than two hundred and fifty thousand were used to direct malicious traffic to one target, most of the devices belonged to a Latvian company with different RouterOS versions.

Below is an infographic of the regularity of versions that were involved in DDoS attacks.

Source:blog.qrator.net

How to fix it?

The current situation raises concerns among specialists who are constantly conducting research to find a single solution, as well as how to help people who do not have information about the presence of such a vulnerability in their devices. The Binare company has prepared a small list of recommendations that can help you and advises you to contact our specialists for additional information if you doubt the security of your Internet thing. We will be happy to help you!

List of recommendations:

  • First of all, you can check whether your device participated in such attacks, which we described above, by going to the official website, where your Internet protocol (IP) will be taken into account and then it will give information about whether you participated or not. 
  • The second step to fix the vulnerability is to update your device to the latest version that is currently available.
  • The third option is to check your firewall for unidentified objects and their permissions, if you doubt that you have given permission or not, then it would be better to remove it.
  • The company “MikroTik” also offers everyone who saw the “SOCKS” configuration on their device, then you need to contact the company representatives.

Sources of information

When writing this article, our company used the following sources:

Share this:

Like this:

Like Loading...
%d bloggers like this: