mikrotik meris botnet?

[tinfoil3d]

Guys, something is going on, check your internet-facing mikrotiks.

New Mēris botnet breaks DDoS record with 21.8 million RPS attack

A new distributed denial-of-service (DDoS) botnet that kept growing over the summer has been hammering Russian internet giant Yandex for the past month, the attack peaking at the unprecedented rate of 21.8 million requests per second.

www.bleepingcomputer.com

 

[tinfoil3d]

Anyone seeing anything suspicious in logs or network activity?

 

[zack$]

200k Mikrotik devices involved in DDoS botnet - MikroTik

forum.mikrotik.com

Check your IP/Socks

 

[tinfoil3d]

Port 2000 and 5678 seem to be of interest. Also people say it seems mynetname dot net has been taken offline, think i saw that in ddns settings. Personally I dont have any internet facing ones but couple of switches running swos with port-limited access, and one hap ac3, in the nat, also with vlan-limited management access.

 

[leon_pro]

Anyone seeing anything suspicious in logs or network activity?

I have a rule: disable things that I don't use or don't want to expose to public internet. It saved me this time.

 

[tinfoil3d]

I have a rule: disable things that I don't use or don't want to expose to public internet. It saved me this time.

Rightfully so, however it seems a lot of users were affected. My friend seems to be fine but I remember helping him two or so years ago when he bought mikrotik router just because "they're probably better than your average"
And I remember helping him open ports back then and I was like, what the actual heck, I need to write a whole iptables rule to do just that! He still managed to initially configure that for pppoe access somehow...

 

[Stril]

Mikrotik is so great for its flexibility, but as they are priced as consumer-gear, they are often mistreated.

There is no default-config, that saves anybody from doing dangerous things.

Opening winbox at WAN should never be an option....

 

[tinfoil3d]

the army of mikrotiks strongly and quickly disagrees with "saves anybody" comment above

 

[tinfoil3d]

Radar by Qrator there's a checker for those who have static IP, might be easy to check up, also make sure to tell all your friends to check their ip->socks settings, scheduler, disable bwtest server and such unused stuff.
I believe this thread should be sticky for the time being.

 

[tinfoil3d]

Oh yeah, in case anyone missed this, mikrotik recently publushed this guide Mēris botnet

 

[Stefan75]

There is no default-config, that saves anybody from doing dangerous things.

I was new to Mikrotik routers a few months ago.
Got one that was outdated and without firewall rules.
Had to update packages and firmware (quite hidden).
Then reset to default and finally got a good set of firewall rules.
I can only recommend MT to advanced users (time to learn).