Meris Attack: Zombie MikroTik devices take a swing at Cloudflare

In an unprecedented cybersecurity event, Cloudflare, a leading internet infrastructure and website security company, faced a colossal DDoS (Distributed Denial of Service) attack. This assault, known as the MikroTik Meris attack, was notable not only for its sheer volume but also for the sophistication and the type of devices exploited. In this post, we delve into the technical intricacies of the attack, the role of MikroTik devices, and the implications for cybersecurity practices moving forward.

Background of the Attack

The attack was orchestrated using a botnet named "Meris," which means "plague" in Latvian - a nod to the origins of the exploited devices manufactured by MikroTik, a Latvian company. The botnet comprised tens of thousands of compromised MikroTik routers globally, which were then used to launch the attack.

Technical Specifications of the Attack

  • Attack Vector: The Meris botnet leveraged a technique known as HTTP/2 multiplexing, which allows multiple HTTP/2 requests to be sent simultaneously over a single connection. This method is particularly effective because it significantly amplifies the attack's volume while evading traditional detection mechanisms.
  • Peak Attack Volume: At its peak, the attack reached over 17.2 million requests per second (RPS), making it one of the largest DDoS attacks ever recorded at the time.
  • Target: Cloudflare's infrastructure was targeted, with the attackers attempting to overwhelm its servers and disrupt services to Cloudflare's clients.

The Role of MikroTik Devices

The exploitation of MikroTik routers was central to the execution of the Meris attack. These devices were vulnerable due to a combination of factors:

  • CVE-2018-14847 Vulnerability: A critical vulnerability in MikroTik RouterOS allowed attackers to bypass authentication and gain unauthorized access to devices. This vulnerability was patched in April 2018, but many devices remained unpatched and vulnerable.
  • Configuration Mismanagement: Many MikroTik routers were improperly configured, exposing them to the internet without adequate security measures. This misconfiguration made it easier for attackers to exploit them.
  • Botnet Command and Control (C&C): The compromised routers were controlled remotely by the attackers, receiving commands to execute the DDoS attack simultaneously.

Detection and Mitigation

Cloudflare's response to the Meris attack involved several layers of detection and mitigation techniques:

  • Anomaly Detection: Cloudflare's systems identified the anomalous surge in HTTP/2 requests, triggering alerts.
  • Rate Limiting: Applying rate limiting to suspicious IP addresses helped to reduce the impact of the attack.
  • Advanced DDoS Protection: Cloudflare's DDoS protection systems, which use machine learning and heuristic analysis, adapted in real-time to mitigate the attack's effects.
  • Collaboration with ISPs: Cloudflare worked with internet service providers to identify and shut down traffic from the compromised MikroTik routers.

Lessons Learned

The MikroTik Meris attack serves as a stark reminder of the importance of cybersecurity hygiene for devices connected to the internet. Key takeaways include:

  • The Necessity of Regular Updates: Device manufacturers and users must ensure that firmware and software are kept up to date to protect against known vulnerabilities.
  • The Importance of Proper Configuration: Devices, especially routers, should be securely configured, with unnecessary services disabled and default passwords changed.
  • The Power of Botnets: The Meris attack underscores the potential for botnets to leverage common devices in significant cyberattacks, highlighting the need for improved security in IoT devices.

Patch and Protect, that is the moral of the story

The MikroTik Meris attack on Cloudflare was a watershed moment in cybersecurity, demonstrating the evolving nature of cyber threats and the critical role of networked devices in these threats. It emphasizes the collective responsibility of manufacturers, users, and cybersecurity professionals to safeguard the digital ecosystem. As cyber threats continue to evolve, so too must our strategies to detect, mitigate, and prevent them, ensuring a safer internet for all.

Was this page helpful?