In April 2024, French cloud computing giant OVHcloud successfully mitigated a colossal distributed denial-of-service (DDoS) attack, which peaked at an unprecedented rate of 840 million packets per second (Mpps).
This attack surpassed the previous record of 809 million Mpps, which targeted a major European bank in June 2020, as reported by Akamai.
The Attack’s Composition
The 840 Mpps DDoS assault comprised a combination of a TCP ACK flood, originating from 5,000 source IPs, and a DNS reflection attack leveraging approximately 15,000 DNS servers to amplify the traffic.
Despite the global distribution of the attack, OVHcloud identified that two-thirds of the total packets entered through only four points of presence, all situated in the United States, with three located on the west coast.
This highlights the adversary’s capability to generate a massive packet rate through minimal peerings, posing significant challenges.
Rising Frequency and Intensity of DDoS Attacks
OVHcloud has observed a marked increase in both the frequency and intensity of DDoS attacks since 2023. Attacks exceeding 1 terabit per second (Tbps) have become a regular occurrence.
Sebastien Meriot of OVHcloud noted, “In the past 18 months, we went from 1+ Tbps attacks being quite rare, then weekly, to almost daily (averaged out over one week). The highest bit rate we observed during that period was ~2.5 Tbps.”
Understanding Packet Rate Attacks
Unlike conventional DDoS attacks that overwhelm targets with a flood of junk traffic to exhaust available bandwidth, packet rate attacks aim to overload the packet processing engines of networking devices near the destination, such as load balancers.
OVHcloud’s data reveals a sharp increase in DDoS attacks with packet rates exceeding 100 Mpps during the same period. Many of these attacks originate from compromised MikroTik Cloud Core Router (CCR) devices, with 99,382 MikroTik routers accessible over the internet.
Vulnerabilities in MikroTik Routers
These MikroTik routers expose an administration interface and run on outdated operating systems, making them vulnerable to known security flaws in RouterOS. It is suspected that threat actors are exploiting the operating system’s Bandwidth test feature to execute the attacks.
Even hijacking 1% of the exposed devices into a DDoS botnet could potentially enable adversaries to launch layer 7 attacks reaching 2.28 billion packets per second (Gpps).
Potential for Future Attacks
MikroTik routers have a history of being used to build powerful botnets, such as Mēris, and for launching botnet-as-a-service operations.
According to Meriot, “Depending on the number of compromised devices and their actual capabilities, this could be a new era for packet rate attacks: with botnets possibly capable of issuing billions of packets per second, it could seriously challenge how anti-DDoS infrastructures are built and scaled.”
Conclusion
The record-breaking 840 million PPS DDoS attack on OVHcloud underscores the evolving threat landscape and the increasing sophistication of cyber adversaries.
The exploitation of vulnerabilities in MikroTik routers to launch high-rate packet attacks presents significant challenges to existing anti-DDoS measures.
As cyber threats continue to escalate, it is imperative for organizations to enhance their defensive capabilities and stay vigilant against potential vulnerabilities in their infrastructure.
If you found these security learnings valuable, don’t miss out on more exclusive content. Follow us on Twitter and Instagram to stay informed about emerging threats and developments.
Check out the Cyber Safety Section and Subscribe our Newsletter, Join our community and gain access to the latest cybersecurity trends to bolster your defense against evolving threats & associated risks 🙂