# IoT security margin of error

**Published by:** [Doug Lane](https://paragraph.com/@axalane/)
**Published on:** 2022-03-30
**URL:** https://paragraph.com/@axalane/iot-security-margin-of-error

## Content

One of the scary things about yesterday's IoT botnet example is that it doesn't take many product vendor security misfires to create one. Consider this example. In August 2021, content delivery network (CDN) provider Cloudflare absorbed an IoT botnet attack that was generating 17.2 million requests per second at its peak. Kind of a lot, right? The same botnet, known as Meris, took down Yandex (basically Russian Google) around the same time with an attack that peaked at 21.8 million requests per second. So you might think Meris must have enlisted many different kinds of IoT devices to pack that much punch, right? Nope. It is primarily powered by hijacked devices from a single vendor you've probably never heard of: Latvian networking gear company MikroTik. (Meris is the Latvian word for "plague," apparently.) And the really scary part is that MikroTik released a patch for the vulnerability Meris exploits in 2018 and has been doing active outreach to customers. But there are still a couple hundred thousand devices whose owners missed the memo. So, this is a pretty good illustration of how narrow the margin of error is when it comes to getting IoT device security practices right. -Doug​

## Publication Information

- [Doug Lane](https://paragraph.com/@axalane/): Publication homepage
- [All Posts](https://paragraph.com/@axalane/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@axalane): Subscribe to updates