# IoT security margin of error

By [Doug Lane](https://paragraph.com/@axalane) · 2022-03-30

---

One of the scary things about [yesterday's IoT botnet example](https://mirror.xyz/axalane.eth/TdASKPHInoVnNx1HphCRttogit_M8IYswVOeZa43nbk) is that it doesn't take many product vendor security misfires to create one.

Consider this example. In August 2021, content delivery network (CDN) provider Cloudflare absorbed an IoT botnet attack that was [generating 17.2 million requests per second](https://blog.cloudflare.com/cloudflare-thwarts-17-2m-rps-ddos-attack-the-largest-ever-reported/) at its peak. Kind of a lot, right?

The same botnet, known as Meris, took down Yandex (basically Russian Google) around the same time with an attack that peaked at 21.8 million requests per second.

So you might think Meris must have enlisted many different kinds of IoT devices to pack that much punch, right?

Nope.

It is primarily powered by hijacked devices from a single vendor you've probably never heard of: Latvian networking gear company MikroTik. (Meris is the Latvian word for "plague," apparently.)

And the really scary part is that MikroTik released a patch for the vulnerability Meris exploits in 2018 and has been [doing active outreach](https://blog.mikrotik.com/security/meris-botnet.html) to customers. But there are still a couple hundred thousand devices whose owners missed the memo.

So, this is a pretty good illustration of how narrow the margin of error is when it comes to getting IoT device security practices right.

\-Doug​

---

*Originally published on [Doug Lane](https://paragraph.com/@axalane/iot-security-margin-of-error)*