New Meris Botnet Breaks Records With 21.8 Million Requests Per Second

Meris Botnet, a new distributed denial-of-service (DDoS) virus, emerged over the summer and began a barrage of attacks on internet giant Yandex and has recently peaked its attack speed at 21.8 million requests per second. Meris Botnet gets its power from tens of thousands hacked devices that researchers believe to be networking equipment. It gets its name from Latvian, where Meris means ‘plague’

Last week Russia media covered the attack on Yandex, and described it as being the largest in the history of the Russian internet – also called RuNet. RuNet is the Russian segment of the internet, created to function independently of the worldwide web. Its purpose is to maintain the unified country-wide communication infrastructure running in case of a cyber attack from a foreign adversary. It is actively monitored by Russian authorities.

Details on the attacks were published lately in joint research from Yandex and its DDoS protection partner, Qrator Labs. Information collected by the researchers showed that Meris Botnet has a striking force of 250,000 devices under its control.

“Yandex’ security team members managed to establish a clear view of the botnet’s internal structure. L2TP tunnels are used for internetwork communications. The number of infected devices, according to the botnet internals we’ve seen, reaches 250000” stated researchers at Qrator Labs.

Initial research put the number at 30000, which is the amount Meris Botnet has used in most cases. However, it is believed that the botnet operators are using lower numbers for now as to not parade the full power of their botnet.

Qrator pointed out that compromised hosts in Meris Botnets’ collection are “not your typical IoT blinker connected to WiFi”, but more capable devices that require an Ethernet connection. This speaks volumes about the development behind Meris Botnet – Usually, botnets will go for ‘low-hanging fruit’ when looking for IoT devices to infect.

Meris Botnet was also responsible for generating the largest volume of attack traffic that Cloudflare recorded and mitigated, which peaked at 17.2 million requests per second. This was broken by the botnets later September 5th attack, which as stated reached 21.8 million RPS.

Meris Botnet’s attacks on Yandex began in early august with a hit of 5.2 million RPS and gradually increased:

2021-08-07 – 5.2 million RPS
2021-08-09 – 6.5 million RPS
2021-08-29 – 9.6 million RPS
2021-08-31 – 10.9 million RPS
2021-09-05 – 21.8 million RPS

Meris Botnet Analysis

Note: This analysis was carried out by Qrator Labs.

To deploy an attack, the researchers say that Mēris relies on the SOCKS4 proxy at the compromised device, uses the HTTP pipelining DDoS technique, and port 5678.

As for the compromised devices used, the researchers say that they are related to MikroTik, the Latvian maker of networking equipment for businesses of all sizes.

Most of the attacking devices had open ports 2000 and 5678. The latter points to MikroTik equipment, which uses it for the neighbor discovery feature (MikroTik Neighbor Discovery Protocol).

Qrator Labs found that while MikroTik provides its standard service through the User Datagram Protocol (UDP), compromised devices also have an open Transmission Control Protocol (TCP).

This kind of disguise might be one of the reasons devices got hacked unnoticed by their owners,” Qrator Labs researchers believe.

Distribution of open ports 5678. The darker shows where there are more devices. Source: Qrator Labs

When searching the public internet for open TCP port 5678, more than 328,000 hosts responded. The number is not all MikroTik devices, though, as LinkSys equipment also uses TCP on the same port

Port 2000 is for “Bandwidth test server,” the researchers say. When open, it replies to the incoming connection with a signature that belongs to MikroTik’s RouterOS protocol.

MikroTik has been informed of these findings. The vendor told Russian publication Vedomosti that it is not aware of a new vulnerability to compromise its products.

The network equipment maker also said that many of its devices continue to run old firmware, vulnerable to a massively exploited security issue tracked as CVE-2018-14847 and patched in April 2018.

However, the range of RouterOS versions that were observed in attacks from Meris botnet varies greatly and includes devices running newer firmware versions, such as the current stable one (6.48.4) and its predecessor, 6.48.3.


SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.