Mēris Botnet Likely Strikes Again in Attack Google StoppedGoogle Is Not Releasing the Identity of the Victim
Google detected and stopped one of the largest distributed denial-of-service incidents yet in a likely sighting of the Mēris botnet.
Google is not releasing the identity of the victim, whose web servers faced a barrage of 46 million https requests per second. The peak volume of malicious traffic was 76% larger than the previously reported record for https attacks in a Mēris botnet incident detected only two months ago by Cloudflare (see: Cloudflare Mitigates Record HTTPS DDoS Attack).
The attack lasted for more than an hour. Google likens the incident to "receiving all the daily requests to Wikipedia in just 10 seconds." Wikipedia is one of the most-visited websites.
The abnormally high volume of malicious traffic originated from 5,256 source IPs from across 132 countries, and Brazil, India, Russia and Indonesia made up 31% of the total traffic, Google says. Nearly one-quarter of the source IPs came from Tor exit nodes although the request volume amounted to just 3% of the attack traffic.
Google says the geographic distribution and types of unsecured services leveraged to generate the attack match known patterns of Mēris activity.
The Mēris botnet was first observed by cybersecurity firms Qrator Labs in 2021 (see: Mēris: How to Stop the Most Powerful Botnet on Record).
One defining characteristic of the botnet is that it's formed with infected networking hardware manufactured by Latvian company MikroTik. The vulnerability used by the botnet herders was patched in 2018, but unpatched routers are a notorious source of botnet devices.
It also uses a technique known as http pipelining to increase the volume of malicious traffic. Pipelining is a feature of the protocol for requesting web traffic that allows a device to send multiple TCP requests without waiting for a reply.