[jtchang]

How does fingerprinting them help? You can fingerprint them but they are just desktops/mobile phones/laptops that have been compromised to be part of the botnet.

The compromised hosts that are part of the botnet look exactly like normal traffic.

[creeble]

If you have a database of known-compromised hosts (because a fingerprint scan of them shows something clearly identifiable as part of a botnet, which I think is usually rare [but possibly not for Mēris]), it can mitigate an attack if you've already blocked them.

But the problem that still exists is the initialization traffic -- there are still up to 200k hosts that may hit your site (essentially, a syn flood). Depending on your infrastructure, that can still hurt your firewall or single server. But it is unlikely to hurt as much as having to actually respond (through a request stack) to those requests.

[achillean]

That's not what the article said though. They say that the compromised devices had these characteristics among others:

* Port 2000 open

* Port 5678 open

* SOCKS proxy on port 80 (maybe)

Most likely most of the visitors to your website won't have those ports open and exposed to the Internet. That is a really easy way to filter traffic based on the network fingerprint. Especially when you're under attack it's a great way to reduce a majority of the impact without requiring any AI/ ML - just filter traffic from IPs that have TCP port 5678 open. That same technique was also used to identify Mirai bots and it worked well.

[HansOlo23]

Implemented here: https://github.com/craig/merisbot-detect Do you have more info on port 80/socks?