Cloudflare TV

Meris Botnet, VoIP attacks and DDoS Trends

Presented by Omer Yoachimik, Vivek Ganti
Originally aired on 

Join Cloudflare's DDoS Protection Product Manager, Omer Yoachimik, in this Cloudflare TV session to learn about the recent DDoS attack trends and attacks on VoIP infrastructure providers. We will also dive deeper into an analysis of the Meris botnet activity.


Transcript (Beta)

Hello everyone. Welcome to Cloudflare TV and thank you for taking the time to join us today listening.

My name is Omer Yoachimik and I'm the product manager for Cloudflare's DDoS protection service.

The DDoS team is responsible for protecting Cloudflare's network and our customers against DDoS attacks and today we want to talk about the recent attacks that were launched by Meris botnet as well as attacks that were launched on VoIP providers and just recent DDoS trends as well.

So with that let's kind of kick in and talk about the Meris. And so first of all what is Meris?

So Meris is Latvian for plague and it's the name of an active botnet behind a series of DDoS attacks that have recently targeted thousands of websites around the world.

It originally was detected in late June of this year and it's believed to be comprised of about 20 to 350,000 bots worldwide.

The bots themselves, the infected devices that are launching the attacks are routers and network networking hardware that's manufactured by the Latvian company Mikrotik.

And according to Mikrotik's blog the attackers exploited the vulnerability in the router's operating system, router OS, which enabled attackers to gain access to the routers themselves.

Basically an unauthenticated remote access that allowed them to read and write arbitrary files.

So how the infection actually worked is that the administration of the router OS operating system can usually be done via SSH connection or using a configuration utility tool called Winbox.

Now the vulnerability itself that the attackers leveraged was possible due to a directory traversal vulnerability in the interface between Winbox and the router OS.

And so this type of exploit, the directory traversal exploit, basically allows attackers to travel in the parent directory or to the parent directory and gain access to the operating system's file system.

This method and structure of how the data is stored and retrieved in an operating system.

And so once they gain access to the file system, they can then kind of just read and write arbitrary files and then administer the router to their malicious needs.

The vulnerability itself was actually patched in 2018 after it was detected, but it's still being compromised because a lot of routers or hardware devices just weren't updated to the latest version of the OS, or alternatively are still using the default manufacturer username and passwords, which are, you know, therefore easy to kind of brute force your way in.

Now, MicroTik has advised its customers to upgrade their operating systems and only allow access to their devices via secure channels, such as IPSec, and also to inspect any abnormalities and kind of scripts that they identify there that are not theirs.

Additionally, the way that this botnet is able to launch very large volumetric attacks is by using HTTP pipelining, which basically allows the client to send multiple requests over a single connection.

This kind of increases the total attack throughput. Also, in an attempt to obfuscate the attacker source to kind of hide where they're coming from, the botnet uses open SOCKS proxies to target or to proxy their attacks to their targets, and this allows them kind of to hide where they're coming from as they're being proxied to the attacker.

Now, our DDoS protection systems here at Cloudflare automatically detect and mitigate various attacks, and some of the mitigation actions are block, rate limit, but some of them are also actually connection close, which is an instruction to the client to kind of eliminates the risk of HTTP pipelining, and so it helps slow down the attacker by forcing it to close the connection after just one request.

Additionally, we also have proactive threat intelligence capabilities that identify SOCKS proxy endpoints, and these are actually available to our customers as managed IP lists, which they can then just kind of tap into and use custom firewall rules to block or challenge attacks coming from those sources.

Now, since the appearance of the Meris botnet, our systems have been automatically detecting and mitigating the attacks using our existing rule sets.

However, during the analysis of the attack, our security experts actually noticed that the attack vector is shifting and adapting as the attackers are trying to overcome and bypass our defenses.

They were not successful, but we wanted to stay many steps ahead, and so our engineers deployed additional, stronger mitigation rules that mitigate Meris attacks even more comprehensively.

A good side effect of that, or a byproduct of that, is that we actually have more granular visibility and threat intelligence on the activity of the Meris attack, or the Meris botnet specifically.

Now, since we deployed the new rules in early August, on average we've seen about 104 DDoS attacks by Meris targeting Cloudflare customers every day.

The highest figure we've seen was on September 6th.

This was when Meris was used to launch 261 unique attacks against Cloudflare customers.

And on that same day, all of that attack traffic actually served as 17.5% of all of the Layer 7 DDoS attacks that Cloudflare saw that day.

Now, overall, Meris targets about 50 different websites and applications every single day.

These are ones that are protected by Cloudflare. And although the average attack size peaked at 106,000 requests per second, the median attack size, the throughput, the request per second rate, was only around 17,000 requests per second.

That's still a lot if you're not protected, but for Cloudflare, even in the millions, it's something that we don't even really feel.

And we did automatically detect and mitigate such an attack earlier in July.

This was a 17.2 million request per second attack.

You can see that here on the left. And on the right, you can see the max attack request per second rate on a daily basis since we deployed that new rule.

And since we've had that Meris dedicated threat intelligence. And since then, the largest attack we've seen was on August 19th, and it was about 16.7 million requests per second.

Now, over the past few months, we've seen the attack target many industries.

And the industry that came under the most attacks by Meris was the banking, financial services, and insurance industry, BFSI.

After it was the publishing industry, gaming and gambling companies, and also IT services.

And this is from the perspective of the number of websites.

But when we take a look at the percentage of targeted websites, the software industry actually came in first, as opposed to the number of total requests.

After which, again, the gaming and gambling companies and IT services.

Similarly to the analysis of the top industries, we can also calculate the DDoS activity rate, which basically allows us to normalize the amount of traffic that targeted specific countries.

And so what we can see is a China-based company saw the largest amount of DDoS attacks.

In fact, more than 33% of all requests that were generated by Meris were destined for China-based companies that are protected by Cloudflare, of course.

Australia came in second place and the US in third.

On the other hand, when we look at the number of websites that were targeted by Meris, the US actually came in first.

More than 12% of the websites that were targeted by Meris were US-based.

In this case, China came in second, and then Russia in third.

Now, using the source IP address of the routers or the networking hardware appliances that launch the attacks, we're able to draw a map or a geographical representation of the bot's presence and expansion over time globally.

The change in location of the bots in this illustration doesn't necessarily indicate that the botnet is growing or shrinking.

It could also be that there are different groups of bots that are activated and deactivated from time to time to spread the load of the attacks while attempting not to get caught.

And so as we can see in the beginning of August, the majority of the bots were actually located in Brazil.

But by the end of August, that number plummeted to a single-digit percent, really close to zero.

And meanwhile, the number of infected devices really grew in the United States.

Also from the beginning of September, we've seen the numbers increase in Russia, India, and Indonesia and China as well.

So besides Meris, there has also been a surge in attacks on VoIP providers over the past months.

So we've seen that many VoIP or VoIP over IP providers have been targeted by DDoS attacks.

These attacks have originated from entities claiming to be Reval, which is a name for a Russian-based hacking group.

The attacks usually combined or multi-vector and combine both layer seven attacks targeting critical HTTP infrastructure websites and API endpoints, but also the VoIP infrastructure themselves, the servers themselves, being targeted by layer three, four attacks.

In some cases where these providers were not protected, this resulted in an outage or service disruptions.

However, our network, cloud service network, is actually able to effectively protect and accelerate, yep, even accelerate voice and video infrastructure just because of our global reach, our sophisticated traffic filtering capabilities, and the unique perspective that we have on attack patterns due to our threat intelligence.

So first of all, whether you're a VoIP provider or not, if you've come under ransom attacks, any extortion attempts, we recommend not to pay.

These funds can only be used to fund illegitimate activities, illegal activities, and there's also no assurance, no guarantee that you won't be attacked anyway.

Instead, we recommend protecting yourself with an always-on, on-demand service such as Cloudflare and also reporting it to your local law enforcement.

So first of all, let's take a step back. What is VoIP, right? So in high -level, VoIP or voice over the Internet protocol is a term that's used to describe a group of technologies that allows for communication of multimedia over the Internet.

So this is like your FaceTime calls, your Zoom calls, and even sometimes your normal calls that you make over your cell phone.

The principles behind VoIP calls are similar to traditional digital calls over the circuit-switched networks.

However, the main difference is that the encoded media, for example, the voice or the video, is partitioned into small units of bits that are transferred over the Internet as payloads of IP packets.

And these are, of course, according to specialized, specially-defined media protocols.

And this packet switching of voice data or video, compared to traditional circuit switching, usually results in much more efficient use of network resources.

And as a result, calling over VoIP can be much more cost -effective over the POTS, the plain old telephone service.

And switching to VoIP can actually cut down telecom costs for businesses by more than 50%.

So it's not really a surprise that over 30% of businesses or one out of three has already adopted VoIP technologies.

It's just flexible, scalable.

And even in these times of the past two years of COVID brought people together in virtual classes and FaceTime calls and so on.

Now, two key protocols behind VoIP are the session initiation protocol.

And it's designed to serve as a flexible and modular protocol for kind of initiating the calls and the real-time transport protocol.

These help with making sure that VoIP is fast because real-time communication between people needs to feel natural, needs to be immediate and responsive.

And therefore, one of the most important features of a good VoIP service is actually the speed.

And this user experience is, you know, it's for the user, it's defined or experienced as a natural-sounding audio and high-definition video without any lag or stutter.

And while SIP and other VoIP protocols can be implementing usually using TCP or UDP, usually the chosen underlying protocol is UDP because it's just faster for routers and servers to process them.

UDP is a protocol that's basically unreliable, stateless, and comes with no quality of service guarantees.

What this means is that the routers and servers usually use much less memory and computational power to process UDP packets.

This allows them to process more packets per second. And processing more packets per second results in quicker assembly of the packets payload.

This is the encoded media, your voice or video.

And therefore, they're able to deliver a better call quality.

Now, under the guideline of faster is better, VoIP servers will attempt to process the packets as fast as possible, like we said.

This is done on a first-come-first-served basis.

And like we said, UDP is stateless. And because it's stateless, the server in the initial state doesn't know which packets belong to existing calls and which attempt to initiate new calls.

Those details are usually in the SIP headers in the form of the SIP requests and responses, and they're not processed until further up the network stack.

And so when the rate of packets per second increases beyond the router's or server's capacity, this faster is better guideline actually turns into a disadvantage.

And so while a traditional circuit switch system will refuse new connections when its capacity is reached, and it'll attempt to kind of maintain the existing connections without impairment, a VoIP server and its ongoing race to process as many packets as possible won't be able to handle all the packets or all the calls when its capacity is exceeded.

And this would result in latency and disruptions for ongoing calls, as well as failed attempts of making and receiving new calls.

And so without proper protections in place, the race for superb call experience actually comes at a security cost that attackers have learned to take advantage of.

One way to take advantage of it is basically to overwhelm unprotected VoIP servers with a flood of specially crafted UDP packets.

Another way is to pretend to initiate calls. And so each time a malicious call initiation request is sent to the victim, the server actually uses computational power memory to authenticate the request.

And if the attacker can generate enough of those call initiations, they can overwhelm the victim's server and prevent it from processing legitimate calls.

And this is a classic DDoS technique applied to SIP.

And over the past month, we've seen additional tactics that attackers have used in an attempt to disrupt VoIP services.

Another one is TCP floods, floods of TCP packets that target stateful firewalls.

Now, while VoIP protocols usually run over UDP, if you manage to overwhelm a stateful firewall, you can negatively impact the infrastructure itself and make it vulnerable or even cause denial of service event if the firewall fails, closes.

And another one is the UDP floods that we mentioned of traffic that is very randomized, that targets SIP infrastructure and can be very difficult to filter without proper protections in place.

And another method is using UDP reflection attacks.

This is especially useful when targeting the session border control component.

That's kind of like a NAT for SIP servers to kind of manage the different calls on behalf of the SIP server.

And so what we've seen is that attackers actually spend a lot of time in learning the target infrastructure in order to kind of target their attacks more tactically to make the attack more successful for them.

And of course, there are the SIP protocol specific attacks that they are practically of a, or basically of a higher concern just because of the higher resource cost that is required to identify the actual state of the call itself or to generate the application errors versus just filtering at layer four.

And in fact, we've seen the rise in UDP attacks throughout October and September.

So in October, the attacks are projected to increase by 85%.

And similarly, we can see an increase in basically all of the network layer DDoS attack volume.

So also the bytes and bits and based on, and while October is not over yet, the current projection or the projection based on current figures shows us that the number is expected to persist in October itself.


So we've talked about the Maris attack, the VoIP attacks, and now let's double down on the overall DDoS trends that we've seen in the third quarter of 2021.

So let's start with the application layer attacks, specifically HTTP attacks. These are attacks that usually aim to disrupt a web server by making it unable to process legitimate user requests.

So if a server is bombarded with more requests than it can process, it will start dropping legitimate requests.

And in some cases crash, this results in performance penalties or outage for legitimate users.

And when we break down the application layer attacks by the targeted industry, we can see that computer software companies top the charts.

The gaming and gambling industries, which are known to be regular targets of online attacks was a close second.

And this was followed by the Internet and IT services industry. Now to understand the origin of the HTTP attacks, we actually look at the geolocation of the source IPs belonging to the client that generated the attack.

Now, unlike network layer attacks, the source IPs here cannot be spoofed, meaning they cannot be altered.

So the source IP is the right one. So we can use the source IP to identify where the attack came from.

And what we do is we normalize the amount of requests from a specific country to get the activity rate, the DDoS activity rate.

And a high, and this is what you're seeing here, and a high DDoS activity rate usually indicates the presence of a lot of botnets operating from within that country.

And so in the third quarter of 2021, most attacks originated from devices, servers, or virtual machines in China, the United States, and India.

Now, while China remains in the first place, the number of attacks originating from China IPs actually decreased by 30% compared to the previous quarter.

Now, this means that basically almost one in every 200 HTTP requests that originated from China was part of an attack.

Now, if we kind of go a little to the right, we can see that attacks from Brazil and Germany, while they're not in the top three, attacks from Brazil and Germany actually shrank by 38% compared to the previous quarter.

And attacks that originated from the US and Malaysia also were reduced by 40 and 45%, respectively.

Now, in order to understand which countries are targeted the most, we break down the DDoS activity by our customers' building countries.

And so for the second consecutive time this year, organizations in the US were targeted with the most Layer 7 DDoS attacks, followed by the UK and Canada.

Now, let's move on to the network layer attacks, Layer 3, 4 of the OSI model.

So while application layer attacks that we've just talked about attempt to strike the application layer, running the service that end user actually tries to access or interact with, the network layer attacks usually target the network infrastructure or the Internet link itself, trying to kind of saturate it or overload the entire data center or servers.

And in Q3, we've seen a lot of volumetric attacks.

This was a quarter when we saw the resurgence of the infamous Mirai botnet.

So what we're looking at right now is a DDoS attack comprised of a dozen UDP and TCP-based attacks launched by Mirai that peaked multiple times above 1 terabit per second with a maximum capacity or maximum rate of 1.2 terabits per second.

These specific attacks were targeted or targeted cloud service customers on the Magic Transit and Spectrum services.

One of these targets was a major APAC-based Internet service, telecom and hosting provider, and the other was a gaming provider.

In all cases, these attacks were automatically detected and mitigated without any human interventions.

And when we look at the distribution of the attacks by month, we can see that in the third quarter or the third quarter of this year actually accounted for more than 38% of all of the attacks.

So just a little over a third and we're only kind of three, fourth way in. September was the busiest month for attackers this quarter and so far in 2021, accounting for over 16% of all of the attacks this year.

Now, there are different ways to measure DDoS attacks.

One is the volume it delivers, measured in bit rates, and the other is the number of packets it delivers, measured as packet rate or packet per second rate.

And attacks with high bit rates usually attempt to cause a denial of service event by clogging the Internet link, while packet rates usually attempt to overwhelm inline appliances, routers, and servers by throwing out the more packets that they can process.

And as seen in previous quarters, the majority of attacks observed in Q3 were relatively small.

However, we have seen an increase in the large attacks.

So for instance, attacks ranging from one to 10 million packets per second increased by 196% compared to previous quarter.

This is a trend that we've actually seen last quarter as well, suggesting that large attacks are still on the rise.

Similarly, in the bit rate perspective, the majority of attacks are small, over 95% are less than 500 megabits per second.

But similarly, compared to the previous quarter, the larger attacks, such as attacks of one to 10 gigabits per second, actually increased by over 126%.

Now, when we look at the distribution of attack vector, and the attack vector is just a fancy way of saying the attack method, we can see that once again, SYN attacks were the most popular vector chosen by attackers, accounting for more than 54% of all attacks.

Afterwards, we have reset attacks and ACK floods as well in third and second and third places.

And while SYN attacks have or remained being very popular, we have seen attacks increase, specifically emerging threats of DTLS.

So basically, DTLS is a type of protocol, kind of similar to TLS. And it increased over 3000% quarter over quarter.

Similarly, SYNF and reset floods, and IPMI attacks as well.

Now, when we look at the top countries, top 10 countries worldwide, Morocco topped the charts in terms of the highest network attack rate observed, after which Asian based countries as well.

And when analyzing the attacks, we actually look at the Cloudflare data center where it originated, to make sure that we don't get spoofed data.

That's how we're able to get very accurate and granular data.

To learn more about these DTLS attacks and to dive in deeper, you can go to and check out the data and dive in deeper.

So with that, I'd like to thank you very much for tuning in.