Mēris Botnet Likely Strikes Again in Attack Google Stopped

Google Is Not Releasing the Identity of the Victim
Mēris Botnet Likely Strikes Again in Attack Google Stopped
Image: Shutterstock

Google detected and stopped one of the largest distributed denial-of-service incidents yet in a likely sighting of the Mēris botnet.

See Also: Infographic I NGINX 101

Google is not releasing the identity of the victim, whose web servers faced a barrage of 46 million https requests per second. The peak volume of malicious traffic was 76% larger than the previously reported record for https attacks in a Mēris botnet incident detected only two months ago by Cloudflare (see: Cloudflare Mitigates Record HTTPS DDoS Attack).

The attack lasted for more than an hour. Google likens the incident to "receiving all the daily requests to Wikipedia in just 10 seconds." Wikipedia is one of the most-visited websites.

The abnormally high volume of malicious traffic originated from 5,256 source IPs from across 132 countries, and Brazil, India, Russia and Indonesia made up 31% of the total traffic, Google says. Nearly one-quarter of the source IPs came from Tor exit nodes although the request volume amounted to just 3% of the attack traffic.

Google says the geographic distribution and types of unsecured services leveraged to generate the attack match known patterns of Mēris activity.

Mēris Botnet

The Mēris botnet was first observed by cybersecurity firms Qrator Labs in 2021 (see: Mēris: How to Stop the Most Powerful Botnet on Record).

One defining characteristic of the botnet is that it's formed with infected networking hardware manufactured by Latvian company MikroTik. The vulnerability used by the botnet herders was patched in 2018, but unpatched routers are a notorious source of botnet devices.

It also uses a technique known as http pipelining to increase the volume of malicious traffic. Pipelining is a feature of the protocol for requesting web traffic that allows a device to send multiple TCP requests without waiting for a reply.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.