OVHcloud Targeted by Record 840 Million PPS DDoS Attack Using MikroTik Routers
In April 2024, OVHcloud, a French cloud services provider, reported effectively handling an unprecedented distributed denial-of-service (DDoS) attack which reached a packet rate of 840 million packets per second (Mpps).
This figure slightly exceeded the previous high of 809 million Mpps disclosed by Akamai against a major European bank in June 2020.
The 840 Mpps DDoS assault is believed to have comprised a TCP ACK deluge that originated from 5,000 source IPs and a DNS reflection strike utilizing approximately 15,000 DNS servers to magnify the volume of traffic.
“Even though the attack was geographically widespread, 2/3 of the total packets were received from only four [points of presence], all situated in the U.S., with three of them located on the western coast,” as per OVHcloud’s statement. “This underscores the aggressor’s ability to transmit an extensive packet rate through only a few connections, which could pose significant challenges.”
The company mentioned a noticeable surge in both the frequency and intensity of DDoS assaults since 2023, with those surpassing 1 terabit per second (Tbps) becoming commonplace.
“Within the past year and a half, the occurrence of 1+ Tbps attacks has transitioned from being relatively uncommon to occurring almost daily (averaged over a week),” stated OVHcloud’s Sebastien Meriot. “The highest data rate recorded during this period was ~2.5 Tbps.”
Unlike conventional DDoS offensives that hinge on inundating targets with spurious traffic to exhaust available bandwidth, packet rate attacks function by overwhelming the packet processing mechanisms of networking hardware close to the target, such as load balancers.
Data collected by the firm indicates a noticeable rise in DDoS attacks employing packet rates exceeding 100 Mpps during the same timeframe, with many originating from compromised MikroTik Cloud Core Router (CCR) devices. Nearly 99,382 MikroTik routers are reachable via the internet.
These routers, besides exposing an administrative interface, operate on outdated OS versions, rendering them vulnerable to known security loopholes in RouterOS. It is suspected that threat actors are exploiting the OS’s Bandwidth test functionality to execute the attacks.
It’s estimated that even gaining control of 1% of the exposed devices for a DDoS botnet could theoretically equip adversaries with the potential to launch layer 7 attacks reaching 2.28 billion packets per second (Gpps).
It should be highlighted at this juncture that MikroTik routers have been exploited to set up formidable botnets like Mēris and even utilized to orchestrate botnet-as-a-service activities.
“Depending on the quantity of compromised devices and their actual capabilities, this could signify a new phase for packet rate attacks: with botnets potentially capable of generating billions of packets per second, it could pose a considerable challenge to the architecture and scalability of anti-DDoS infrastructures,” expressed Meriot.
About Author
