A new botnet of about 250.000 infected devices is behind some of the biggest DDoS attacks of the summer, breaking the record for the largest volumetric DDoS attack twice, once in June and again this month.
The botnet is called Mēris, the Latvian word for "plague", and is mainly used to blackmail DDoS internet service providers and financial companies in various countries, such as Russia, the United Kingdom, the United States and New Zealand.
The team behind the botnet usually sends threatening emails to large companies asking for ransom. Emails target companies with an extensive web infrastructure and contain threats to downtime important servers if they do not pay a sum of digital currencies by a certain deadline.
If the victims do not pay, the hackers launch their botnet with smaller attacks in the beginning that increase significantly in size later, in order to exert more pressure.
Qrator Labs, a Russian DDoS mitigation service, described Meris as "a new botnet", after a series of attacks against Russian companies.
"In the last two weeks, we have seen devastating attacks on New Zealand, the United States and Russia, which we attribute to this botnet," said the company's researchers.
"Meris can flood almost any infrastructure, including some very powerful networks. "All of this is due to the enormous RPS power it has."
The reason Qrator Labs calls Meris unique is that before this summer, most DDoS attacks with RPS were very rare and had not occurred on this scale in the last five years.
Most botnets are usually configured to send as much unwanted traffic as possible to a target in classic "bandwidth attacks", which are measured in Gbps.
RPS attacks, called volumetric or application-layer DDoS attacks, are different because attackers focus on sending requests to the target server to flood the CPU and its memory.
Instead of hitting bandwidth with unwanted traffic, volumetric attacks focus on seizing server resources and eventually crashing them.
"In the last five years, there have been virtually no application-layer attacks on a global scale," says Qrator.
Things changed this summer with the appearance of Meris, which is based on a modified version of the old malware Mirai DDoS, according to internet infrastructure company Cloudflare, which also had to deal with some of his attacks.
But instead of focusing on bandwidth attacks, like most Mirai variants, the Meris focuses on volumetric attacks, obviously because they find them more efficient.
Meris broke the record for the largest volumetric DDoS attack twice. He did it for the first time earlier this summer, in June, when with an attack RPS 17,2 million DDoS hit a US financial company, according to Cloudflare, which had the nasty task of mitigating the attack.
Today, Qrator Labs reported that Meris outdid itself again during an attack this Sunday, September 5, which reached Rs 21,8 million.
Qrator said it had partnered with Yandex to mitigate the attack, which apparently hit Yandex servers. The target of the attack, however, was a Russian bank that maintained the e-banking portal of Yandex cloud service.
Qrator also said that after analyzing the source of most of the attack, it appears to be coming from devices of MikroTik, a small Latvian company that sells networking tools such as routers, IoT gateways, WiFi access points, switches and mobile network equipment.