A Distributed Denial-of-Service Attack is when lots of sources of traffic flood one target, simultaneously.
As a result, the target's machine that works to deliver the demand of those incoming traffic, quickly runs out of resources. Because of this, legitimate requests cannot be fulfilled, and the service can be made unavailable for intended users.
Hackers do DDoS attacks to disrupt a service.
This time, Yandex, the internet search engine giant from Russia, has been targeted in a massive DDoS attack that happens for more than a week.
A report from a Russian media said that the attack is the largest in the short history of RuNet, or the Russian internet, which is a segment of the internet, created by the Russian government to function independently from the World Wide Web in general.
RuNet is made to maintain the unified country-wide communication infrastructure running in case of a cyber attack from a foreign adversary.
The attack started in one weekend, flooding Yandex's servers with fake requests that attempt to cripple its systems.
According to Cloudflare, the web infrastructure security company from the U.S., the attack that peaked at the unprecedented rate of 21.8 million requests per second on September 5th, is confirmed the “record scale of the cyberattack.”
"Our experts did manage to repel a record attack of nearly 22 million requests per second (RPS). This is the biggest known attack in the history of the internet," Yandex said in a statement.
Yandex that partners with Qrator Labs for its customers a DDoS protection service for cloud resources, experienced a hard time defending against the attack. But managed to thwart most of the incoming traffic by filtering unwanted requests, in order to put the flood of traffic within its capacity.
It is then revealed that the DDoS attack was carried out by huge armies of botnets, which are large collections of compromised internet-connected devices receiving commands from the hackers.
According to Alexander Lyamin, CEO of Qrator Labs, the botnets harnessed the power of network equipment from a vendor in the Baltic region.
The botnets received the name Mēris (Latvian for ‘plague’), which got its armies from tens of thousands of compromised devices that the researchers believe to include some powerful networking equipment, and related to MikroTik, the Latvian maker of networking equipment for businesses of all sizes.
The researchers note that the compromised hosts in Mēris are “not your typical IoT blinker connected to Wi-Fi” but highly capable devices that require an Ethernet connection.
Separately from Yandex, it is said that the attack used around 56,000 attacking hosts, while researchers suggested that the compromised devices may be closer to 250,000.
The difference between the attacking force and the total number of infected hosts forming Mēris is explained by the fact that the hackers didn't want to expose the full power of their botnet networks, explained Qrator Labs in a blog post.
The attack was commenced on the SOCKS4 proxy at the compromised device, and used the HTTP pipelining DDoS technique, and port 5678.
When searching the public internet for open TCP port 5678, more than 328,000 hosts responded.
It should be noted that the number of the compromised devices are not all MikroTik devices, though, as LinkSys equipment also uses TCP on the same port.
It should also be noted that Mēris is the same botnet responsible for generating the largest volume of attack traffic that Cloudflare recorded and mitigated to date, which peaked at 17.2 million RPS, which was 4 million RPS less than what Yandex experienced.