Meris // Mikrotik-based Botnets
- size: 10.000 – 200.00
The Meris botnet first emerged in mid-2021 as a highly potent Distributed Denial of Service (DDoS) threat. It is considered a successor to the infamous Mirai botnet, which gained notoriety for hijacking Internet of Things (IoT) devices to launch large-scale DDoS attacks. Meris, however, is more sophisticated and capable of launching record-breaking attacks with extreme bandwidth by exploiting compromised devices, primarily MikroTik routers.
Meris can generate massive volumes of HTTP requests, overwhelming targets with floods of traffic. In contrast to Mirai, which mainly utilized IoT devices, Meris targets higher-powered network equipment, allowing it to unleash more devastating attacks. Over the last years, Meris was accounted for several record-breaking attacks against providers like cloudflare or OVH.
- Introduction // The Anatomy of a Mikrotik RouterOS-Based Botnet Attack
https://www.corero.com/the-anatomy-of-a-mikrotik-routeros-based-botnet-attack/ - Okt 2024
Cloudflare / How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack
https://blog.cloudflare.com/how-cloudflare-auto-mitigated-world-record-3-8-tbps-ddos-attack/ - May 2024
OVH/The Rise of Packet Rate Attacks: When Core Routers Turn Evil
https://blog.ovhcloud.com/the-rise-of-packet-rate-attacks-when-core-routers-turn-evil/ - Aug 2022
How Google Cloud blocked the largest Layer 7 DDoS attack at 46 million rps
https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps?ref=blog.kybervandals.com - Dec 2021
Hundreds of thousands of MikroTik devices still vulnerable to botnets
https://www.bleepingcomputer.com/news/security/hundreds-of-thousands-of-mikrotik-devices-still-vulnerable-to-botnets/ - Nov 2021
A Brief History of the Meris Botnet
https://blog.cloudflare.com/meris-botnet/ - Sep 2021
KrebsOnSecurity Hit By Huge New IoT Botnet “Meris”
https://krebsonsecurity.com/2021/09/krebsonsecurity-hit-by-huge-new-iot-botnet-meris/ - Jul 2021
Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported
https://blog.cloudflare.com/cloudflare-thwarts-17-2m-rps-ddos-attack-the-largest-ever-reported/
DDoSia by Noname57
- size: 5000 – 9000
DDoSia is a malware toolkit developed by NoName, a pro-Russian hacking group.
The toolkit has gained notoriety for its involvement in hacktivist campaigns, particularly during the conflict between Russia and Ukraine, where it has been used to target websites and infrastructure in nations aligned with Ukraine or supporting sanctions against Russia.
DDoSia is capable of sophisticated Layer-7-Attacks (pseudo-browsers) and direct path tcp-floods, see also our article „Comparison of DDoS-Frameworks“.
Noname057/DDoSia are active since mid-2022 and had been analyzed a couple of times:
- DDoS as Attackvector for State-Sponsored/Hacktivist-Groups in Times of Crisis
https://blog.kybervandals.com/ddos-as-attackvector-for-state-sponsored-hacktivist-groups-in-times-of-crisis/ - NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO
https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/ - A Blog with NoName
https://www.team-cymru.com/post/a-blog-with-noname - DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks
https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/ - Following NoName057(16) DDoSia Project’s Targets
https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/
Gorilla Botnet
The Gorilla DDoS botnet is a relatively recent botnet that was observed engaging in distributed denial-of-service (DDoS) attacks from late 2023. It is a part of a growing trend of IoT-based botnets, similar in nature to botnets like Mirai, but with advanced capabilities to overwhelm targets through high-volume and multi-vector DDoS attacks.
It has been observed in campaigns by most likely russian hacktivists groups against government and finanzial services in US, IE, CH and FR.
- Brief technical analysis of the „Gorilla“ botnet by NCSC
https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/gorilla_bericht.html - Botnet Hits Government Sites With “DDoS”
https://medium.com/@phishfinding/gorilla-botnet-hits-government-sites-with-ddos-ec5cbb219c22 - Abuse.ch is tracking GorillaBotNet as well
https://urlhaus.abuse.ch/browse/tag/GorillaBotnet/
Mirai
- size: 20.000 – 200.000
The Mirai botnet is one of the most infamous botnets in the history of cybersecurity, known for its large-scale exploitation of Internet of Things (IoT) devices to launch Distributed Denial of Service (DDoS) attacks. First discovered in 2016, Mirai quickly became notorious for its ability to compromise poorly secured IoT devices—such as routers, cameras, and DVRs—by using a list of hard-coded default credentials. What makes Mirai unique is the release of the sourcecode in late 2016, which lead to a widespread adoption by various actors.
While its been around since 8 years, there is not „THE Mirai“ – botnet anymore, but many variants. All have in common the exploitation of IoT – devices.
- Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported
https://blog.cloudflare.com/cloudflare-thwarts-17-2m-rps-ddos-attack-the-largest-ever-reported/?ref=blog.kybervandals.com/ - The Strange Story of the Teens behind the Mirai – Botnet
https://spectrum.ieee.org/mirai-botnet - What is Mirai?
https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/ - A case study on Mirai Botnet Attack of 2016
https://medium.com/@d21dcs151/a-case-study-on-mirai-botnet-attack-of-2016-4b66630e6508 - Mirai @ Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai - Mirai @ Abuse.ch
https://urlhaus.abuse.ch/browse/tag/Mirai/
Misc Reportings
- Eleven11Bot >> 50k
most probably a Miari-variant
emerged early 2025
https://x.com/Shadowserver/status/1896884082421944813
https://www.bleepingcomputer.com/news/security/new-eleven11bot-botnet-infects-86-000-devices-for-ddos-attacks/ - Vo1d malware botnet / Proxy Services, ca 1.3 Mio
https://news.drweb.com/show/?i=14900&lng=en&c=9
https://www.bleepingcomputer.com/news/security/vo1d-malware-botnet-grows-to-16-million-android-tvs-worldwide/
previous art / 2014 – 2021
Since 2007, zeroBS employees have been involved in the investigation, analysis, and monitoring of server-based attacker botnets, specifically in the area of DDoS.
This page provides a list of our R&D activities, talks, and papers that have been published on this topic.
- Global DDoS-Campaign targeting ISP [2020/2021]
- Collection of Extortion-Mails/Blackmailing
Analyse, 2017 – 2021 (en) - New DDoS Attack-Vector via WS-Discovery/SOAPoverUDP, Port 3702
Following an incident response assignment, we identified and analyzed a new DDoS attack vector (August 2019) - DDoS-Incident-Response – Ein Bericht von der Front
DDoS-Incident-Handling (DFIR), Juni 2019 - Thors Hammer: eine schlagkräftige DDoS-Angriffsmethode
A successful DDoS attack method we have been using since 2016. - Analysing the DDOS-Threat-Landscape, Part 1: UDP Amplification/Reflection
Ongoing analysis of the DDoS threat landscape, since May 2018. - ZombieWPress – Analyse eines WordPress-Botnetzes
Analyse, Jul 2017 - Neues IoT-Botnetz identifiziert (P81)
Analyse, Apr 2017 - Nichts geht mehr: Aktuelle Situation zu Distributed-Denial-of-Service-(DDoS)-Angriffen (PDF)
Funkschau November 2016 - Big Brother is attacking you – DDoS-Angriffe von einem CCTV-Kamera-Botnet (IoT)
August 2016 - ElasticZombie Botnet – Exploiting Elasticsearch Vulnerabilities,
Guest post on the AlienVault blog, December 2015. - ElasticZombie, Insight into an ElasticSearch Botnet (PDF)
Talk BsidesHH, 28.12.2015, Hamburg - Klebefallen: Botnetzangriffe mit Honeypots analysieren (PDF)
ix, November 2015 - Swell on the horizon – watching Scanners searching for Bittorrent clients
August 2015 - DDoS-Angriffe auf ukrainische und russische Rechenzentren
April 2015 - Server-Botnet with massive SSH-Brute-Force-Attacks
Dezember 2014
English 
German