DDoS attacks like this are usually launched from large number of malware ridden personal computers. Since the attacks are coming from an IP addresses on a residential network they're very hard to differentiate from legitimate traffic.
What's different about this attack is that it appears to not be PCs but network devices (routers) that are being taken over and used to launch attacks.
People are much less likely to catch that this is occurring and as a result there's concerns that this botnet is going to persist as a threat for a much longer time than is typical. Additionally, network devices may have access to a greater amount of bandwidth than a PC increasing the threat.
One more thing: when the botnet makes a request (attack) against a site it's using a modern performance optimization technique of "pipelining" where instead of a GET to "/index.html" just interacting with the index.html file it's holding a connection open to also then request all the other assets from the site. In normal usage this is great as it makes a site feel more responsive and reduces network overhead. However, in the context of this botnet it also increases the number of requests that each bot can make (which is bad).
Great explanation...
For anyone interested, the following jupyter notebook explains three different ways to process HTTP requests: serial requests (the baseline), pipelined requests and parallel requests with multiple connections (and without threads).
0. There seems to be a MikroTik exploit, and all versions are vulnerable. Well, it possible that someone collected the passwords back in 2018, and used them to access updated devices this year, but I guess naaah.
I wonder what should happen to that fine company to make them stop running all the potentially vulnerable system configuration services on all interfaces by default. IP > Services is one of the locations anyone should check ASAP to make sure unneeded ones are disabled, but it's actually misleading. These are just preconfigured wrappers for some components, and others, like DNS or bandwidth test server mentioned in the article, are not shown even if they are running. There isn't even a netstat-like command to check which ports are open.
1. While reaching a record number, the attack against something on the scale of Yandex and Cloudflare is more of a maximum capacity test not limited by target's connectivity, and/or an advertisement for someone's DDoS services.
2. Still, it's an application-level DDoS, so you have to have a swift application-level detection in place if you don't want to just ban IP addresses (and potentially cut legal users from HTTP(S) APIs and other services that might be shared on the server or network).
3. Some skill was demonstrated in finding no-trivial weak points to amplify the server load.
I understand the purpose of a botnet. I was asking for an explanation of the technical details of this apparent advancement. But apparently snide comments purposely devoid of any detail is what I'm getting here now. Cheers
What's different about this attack is that it appears to not be PCs but network devices (routers) that are being taken over and used to launch attacks.
People are much less likely to catch that this is occurring and as a result there's concerns that this botnet is going to persist as a threat for a much longer time than is typical. Additionally, network devices may have access to a greater amount of bandwidth than a PC increasing the threat.
One more thing: when the botnet makes a request (attack) against a site it's using a modern performance optimization technique of "pipelining" where instead of a GET to "/index.html" just interacting with the index.html file it's holding a connection open to also then request all the other assets from the site. In normal usage this is great as it makes a site feel more responsive and reduces network overhead. However, in the context of this botnet it also increases the number of requests that each bot can make (which is bad).