Cyber Incident Victim: KrebsOnSecurity
Date:
Sep 2021
Location:
United States of America
Summary
KrebsOnSecurity experienced a significant distributed denial-of-service (DDoS) attack originating from the Meris botnet, a newly identified network of compromised IoT devices primarily consisting of MikroTik routers. The assault generated over two million requests per second, surpassing the scale of a previous Mirai-based attack on the same site by more than fourfold. Meris had previously executed record-breaking attacks against major entities including Cloudflare and Yandex, with peak traffic exceeding 21 million requests per second. The botnet leveraged vulnerable MikroTik routers globally, with a substantial concentration in the United States, though the specific security flaws exploited remained unclear. This incident highlighted the persistent threat of large-scale IoT botnets built from insecure devices, despite broader industry improvements in mitigating such attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 9, 2021, KrebsOnSecurity experienced a significant distributed denial-of-service (DDoS) attack originating from a newly identified IoT botnet called Meris. The attack occurred on Thursday evening and was described as massive but relatively brief. Meris had previously executed record-setting attacks against Russian search engine Yandex earlier that week and internet infrastructure provider Cloudflare in the summer of 2021. Cloudflare reported its Meris attack reached 17.2 million bogus requests per second, while Yandex faced an even larger assault estimated at 21.8 million requests per second from approximately 250,000 compromised devices globally. The attack on KrebsOnSecurity, though smaller than these previous incidents, exceeded the scale of the 2016 Mirai botnet attack against the same site by more than four times, generating over two million requests per second compared to Mirai's 450,000 requests per second.
DDoS protection firm Qrator Labs identified Meris as the botnet responsible and determined it primarily consisted of compromised MikroTik internet routers. The United States hosted the largest concentration of potentially vulnerable MikroTik devices at 42% of the global total, followed by China at 18.9%. The specific vulnerabilities exploited remained unclear, though Qrator observed infected devices ran RouterOS firmware versions ranging from outdated to nearly current releases, with older stable versions representing the majority. The incident coincided with the five-year anniversary of the Mirai botnet's emergence, which had established a precedent for IoT-based DDoS threats through its open-source code proliferation. Response efforts involved collaboration between Qrator Labs and Yandex to combat ongoing attacks, while major infrastructure providers like Akamai, Cloudflare, and Google had expanded DDoS mitigation capabilities over preceding years. The broader internet security community also improved coordinated responses to disrupt botnet infrastructure, though the persistence of insecure, mass-produced IoT devices remained a foundational challenge.