Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Botnet Security The Internet

Krebs Also Hit By Massive DDOS, Apparently Caused by Compromised Routers (krebsonsecurity.com) 31

"On Thursday evening, KrebsOnSecurity was the subject of a rather massive (and mercifully brief) distributed denial-of-service (DDoS) attack," the site reports.

Citing a new blog post from DDoS protection firm Qrator Labs, Krebs writes that "The assault came from 'Meris,' the same new botnet behind record-shattering attacks against Russian search giant Yandex this week and internet infrastructure firm Cloudflare earlier this summer." A titanic and ongoing DDoS that hit Russian Internet search giant Yandex last week is estimated to have been launched by roughly 250,000 malware-infected devices globally, sending 21.8 million bogus requests-per-second. While last night's Meris attack on this site was far smaller than the recent Cloudflare DDoS, it was far larger than the Mirai DDoS attack in 2016 that held KrebsOnSecurity offline for nearly four days. The traffic deluge from Thursday's attack on this site was more than four times what Mirai threw at this site five years ago. This latest attack involved more than two million requests-per-second. By comparison, the 2016 Mirai DDoS generated approximately 450,000 requests-per-second.

According to Qrator, which is working with Yandex on combating the attack, Meris appears to be made up of Internet routers produced by MikroTik. Qrator says the United States is home to the most number of MikroTik routers that are potentially vulnerable to compromise by Meris — with more than 42 percent of the world's MikroTik systems connected to the Internet (followed by China — 18.9 percent- and a long tail of one- and two-percent countries). It's not immediately clear which security vulnerabilities led to these estimated 250,000 MikroTik routers getting hacked by Meris. "The spectrum of RouterOS versions we see across this botnet varies from years old to recent," the company wrote. "The largest share belongs to the version of firmware previous to the current stable one."

Krebs writes that the biggest contributor to the IoT botnet problem remains "a plethora of companies white-labeling [cheap] IoT devices that were never designed with security in mind and are often shipped to the customer in default-insecure states...

"The good news is that over the past five years, large Internet infrastructure companies like Akamai, Cloudflare and Google (which protects this site with its Project Shield initiative) have heavily invested in ramping up their ability to withstand these outsized attacks..."

One year earlier, back in 2015, Krebs had answered questions from Slashdot's readers.
This discussion has been archived. No new comments can be posted.

Krebs Also Hit By Massive DDOS, Apparently Caused by Compromised Routers

Comments Filter:
  • Question (Score:4, Interesting)

    by quonset ( 4839537 ) on Saturday September 11, 2021 @11:27AM (#61785249)

    Let's assume your home router has been compromised and is now part of one of these botnets. The criminals use your router as part of their DDOS. Wouldn't your ISP see the massive amount of sustained traffic pouring out of your router and block you until they figure out what you're doing?

    This question presumes you're in a country which has decent providers, not some place such as India or Russia.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Let's assume your home router has been compromised and is now part of one of these botnets. The criminals use your router as part of their DDOS. Wouldn't your ISP see the massive amount of sustained traffic pouring out of your router and block you until they figure out what you're doing?

      Mikrotik gear is often used internally by ISPs because it is cheap and reasonably capable. Likely there is no substantial increase in bandwidth utilization locally. These are not bandwidth flood attacks they are resource exhaustion attacks.

    • by tlhIngan ( 30335 )

      Let's assume your home router has been compromised and is now part of one of these botnets. The criminals use your router as part of their DDOS. Wouldn't your ISP see the massive amount of sustained traffic pouring out of your router and block you until they figure out what you're doing?

      This question presumes you're in a country which has decent providers, not some place such as India or Russia.

      The problem is a lot of home routers are provided by the ISP - either built into the modem they give you, or as an

  • by aaarrrgggh ( 9205 ) on Saturday September 11, 2021 @11:36AM (#61785279)

    So, what is the best way to deal with security on your router/firewall box today, with the presumption that you cannot trust the vendor? Can you layer in a bridge-mode / transparent firewall, or does that actually make things less secure.

    Today to have a functioning network your router just has a huge attack surface.

  • by schwit1 ( 797399 ) on Saturday September 11, 2021 @12:19PM (#61785471)

    The router is a tool. The DDOS was caused by a person that compromised the router.

    The overall cause is hackers, the vendors making crappy IOT devices and Congress. We elect Congress to legislate on just this kind of thing.

    Federal law should prohibit the importation of IOT devices that can't be secured and maybe federal law should prohibit connecting an insecure IOT devices to the internet.

    • Federal law should prohibit the importation of IOT devices that can't be secured and maybe federal law should prohibit connecting an insecure IOT devices to the internet.

      Your insecure computer is causing money leakage.* Disconnect!

      *Piracy.

    • OK, let's create a law that prohibits the connecting of an "insecure IOT device" to the internet.

      Question for 100: What is an "insecure IOT device"?

      I have a hunch, given our legislators, the answer is "whoever doesn't pay enough of a kickback and/or doesn't get some governmental stamp of approval".

      Careful what you wish for. Especially when it comes to laws.

    • I’m fine with insecure crappy IoT devices; what the ESP8266 has given us can be great. The problem is when they need to connect to the internet to function, and cannot be isolated in an IoT cage.

  • mikrotik response (Score:3, Informative)

    by A little Frenchie ( 715758 ) on Saturday September 11, 2021 @01:31PM (#61785695)
    this is their response https://forum.mikrotik.com/vie... [mikrotik.com]

    QUOTE

    Many of you have asked, what is this Mris botnet that some news outlets are discussing right now, and if there is any new vulnerability in RouterOS.

    As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched.

    Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.

    We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.

    As far as we know right now - There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several contractors.

    If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you, especially if this configuration APPEARED NOW, RECENTLY, WHILE RUNNING A NEW ROUTEROS RELEASE: Please contact us immediately.

  • If internet governance actually existed and mandated ingress/egress filtering for all ISPs AND had a mechanism for pushing filter rules upstream by the owner of an IP range to ISPs of a given attacker, none of this would be a problem. The ISP of a compromised customer would get a lot of filter rules pushed on them, get pissed about it and do something about it.

  • by schweini ( 607711 ) on Sunday September 12, 2021 @12:21AM (#61787087)
    How do all those IoT devices get compromised? Aren't they usually behind some NAT, making external access almost impossible (unless explicitly permitted)?

"Facts are stupid things." -- President Ronald Reagan (a blooper from his speeach at the '88 GOP convention)

Working...