OVHcloud Targeted with Unprecedented 840 Million PPS DDoS Assault Utilizing MikroTik Routers
OVHcloud, a French cloud computing company, has revealed that it successfully countered an unparalleled distributed denial-of-service (DDoS) onslaught in April 2024, reaching an astonishing packet rate of 840 million packets per second (Mpps).
This incident exceeded the previous high of 809 million Mpps noted by Akamai in an attack against a major European bank back in June 2020.
According to reports, the 840 Mpps DDoS strike comprised a TCP ACK flood emanating from 5,000 different source IPs alongside a DNS reflection attack involving approximately 15,000 DNS servers to amplify the traffic.
“Although the attack spread globally, a significant majority of the packets, about 2/3, entered through just four points of presence, with three located on the west coast of the U.S.,” observed OVHcloud stated. “This emphasizes the adversary’s ability to unleash a massive packet rate through a minimal set of connections, posing considerable challenges.”
The company highlighted a noticeable surge in DDoS assaults in terms of both frequency and potency since 2023, with attacks exceeding 1 terabit per second (Tbps) now being a regular sight.
“In the last 18 months, we’ve witnessed a transition from 1+ Tbps attacks being uncommon, then weekly, to nearly daily instances (averaged over a week),” remarked Sebastien Meriot of OVHcloud. “The highest bit rate we encountered during that period was approximately 2.5 Tbps.”
Unlike conventional DDoS attacks that flood targets with junk traffic to deplete available bandwidth, packet rate attacks overwhelm the packet processing mechanisms of network devices near the destination, like load balancers.
Data gathered by the company demonstrates an increase in DDoS attacks utilizing packet rates surpassing 100 Mpps during the same period, with a significant number originating from compromised MikroTik Cloud Core Router (CCR) devices. Nearly 99,382 MikroTik routers can be accessed over the internet.
These routers, in addition to exposing administrative interfaces, are operated on outdated OS versions, rendering them vulnerable to known security flaws in RouterOS. It is believed that threat actors are likely exploiting the OS’s Bandwidth test feature to execute these attacks.
It’s estimated that commandeering just 1% of these vulnerable devices into a DDoS botnet could potentially provide threat actors with the capacity to launch layer 7 attacks generating 2.28 billion packets per second (Gpps).
It’s worth mentioning that MikroTik routers have been previously exploited to construct formidable botnets like Mēris and even utilized for offering botnet-as-a-service operations.
“Depending on the number of compromised devices and their capabilities, we might be entering a new phase for packet rate attacks: with potential botnets capable of releasing billions of packets per second, there could be a significant impact on how anti-DDoS infrastructures are architected and scaled,” noted Meriot.
About Author
