Key Takeaways
Yandex managed to repel the largest DDoS attack ever (22 million requests per second)
The attack comes after a summer of several other large-scale attacks, all of which are now being attributed to a new botnet threat, dubbed Meris.
Yandex fended off the attack by having DDoS defense at several layers of its networking architecture; there are multiple tactics you can use to defend against the increasing DDoS attack.
Biggest DDoS Attack
A cyber attack on Russian tech giant Yandex's servers in August and September was the largest known distributed denial-of-service (DDoS) attack in the history of the internet, the company said.
A DDoS attack is a hacking attempt to disrupt the traffic of a targeted server or network by overwhelming the target with a torrent of Internet traffic.
"Our experts did manage to repel a record attack of nearly 22 million requests per second (RPS). This is the biggest known attack in the history of the internet," Yandex said in its statement.
Yandex said it had seen 5.2 million RPS on Aug. 7, 6.5 million RPS on Aug. 9, 9.6 million RPS on Aug. 29, 10.9 million RPS on Aug. 31 and finally reaching its peak at 21.8 million RPS on Sept. 5.
U.S. cybersecurity firm Cloudflare, which is widely used by businesses and other organisations to help defend against DDoS attacks, said in August the largest DDoS attack it was aware of reached 17.2 million RPS earlier this year. That attack was said to be three times larger than previously known ones. The scale of DDoS attacks have tripled this summer, Yandex says this comes from a new botnet like none other, Meris.
Meris Botnet
In a September 9 blog post, Yandex said it had identified a powerful new botnet, a network of computers infected with malware and controlled without the owners’ knowledge, that has also carried out DDoS attacks on other companies. In the last couple of weeks, there have been devastating DDoS attacks in New Zealand , the United States and Russia, all of which have now been tracked to this new botnet. Researchers have named this botnet Meris - “plague” in Latvian.
Meris already has a significant scale - probably over 200,00 devices. Qrator Labs, a research firm helping Yandex in its investigation, monitored 30,000 hosts from the attack and found that the devices are high-performance devices, not typical IoT devices connected to a Wi-Fi network. Most likely, Meris is a botnet consisting of devices connected via an Ethernet connection, making it a much more potent threat. They also found that all infected devices are manufactured by Mikrotik. Attackers, according to Qrator Labs, exploited a 2018 bug unpatched in more than 56,000 MikroTik hosts involved in the DDoS attack.
Meris uses a technique called HTTP pipelining, where a browser requests a connection to a server and, without waiting for a response, sends multiple more requests. L2TP [Layer 2 Tunneling Protocol] tunnels are used for internetwork Meris communications. L2TP is a protocol used to manage virtual private networks and deliver internet services. Tunneling facilitates the transfer of data between two private networks across the public internet, allowing the botnet to orchestrate itself in private.
How did Yandex fend off the record attack?
Yandex, who provides DDoS protection as a product, explains, “In Yandex, incoming user traffic passes through several infrastructure components operating at different levels of the ISO / OSI model.” The OSI model breaks communication into 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application. DDoS attacks can be mitigated at several of these layers so having multiple layers of defense is a best practice. Yandex continues, “The first components protect Yandex from SYN flood attacks. The following layers analyze incoming traffic in real time. Based on technical signals and other statistics, the system evaluates the suspicion of each request. Our priority is to provide a response to live users even at the time of a DDoS attack. Thanks to the design of our infrastructure, we quickly scaled our components horizontally after the first attacks and were able to withstand more powerful waves without switching to IP banning mode.”
While patching MikroTik devices is the most ideal mitigation to combat future Meris attacks, researchers also recommended blacklisting. IP blacklisting is a method used to filter out illegitimate or malicious IP addresses from accessing your networks - it’s basically a list of everyone you want to block. Blacklisting is viable because Meris attacks are not spoofed, we can track every attack to its origin.
Other effective tactics to mitigate DDoS attacks
With DDoS attacks on the rise, here is a reminder of the most common ways to protect your site or organizations against these threats:
Increase bandwidth. One of the most basic steps you can take to protect against DDoS attacks is to prepare enough bandwidth to handle traffic spikes. When you increase bandwidth, it does raise the bar which attackers have to overcome before they can launch a successful DDoS attack, but you should always combine this with other mitigation tactics to completely safeguard your website.
Use a CDN. A Content Delivery Network is a geographically distributed group of servers which work together to provide fast and reliable delivery of Internet content. Using a CDN can balance out website traffic so that your capped server would not be overwhelmed. Also, CDNs spread your traffic across servers in different locations, making it difficult for hackers to spot your original server to launch an attack. Also, CDN providers usually offer plenty of cybersecurity features including DDoS protection.
Server-level DDoS protection. Some web hosts include server-level DDoS mitigation tools in their offering. As this feature is not always offered by web hosting companies, you should check with your web host.
Use hybrid or cloud-based hosting. When you switch to using hybrid or cloud-based services, chances are that you’ll have access to unlimited bandwidth. Many websites that are affected by DDoS are sites which run with limited resources.