OVHcloud Faces Unprecedented 840 Million PPS DDoS Attack Leveraging MikroTik Routers

Record DDoS Attack Mitigated by OVHcloud

In April 2024, French cloud service provider OVHcloud successfully mitigated an unprecedented distributed denial-of-service (DDoS) attack, reportedly peaking at a staggering 840 million packets per second (Mpps). This incident surpasses the previous record of 809 million Mpps, which was inflicted on a significant European bank in June 2020, as documented by cybersecurity firm Akamai.

The attack was characterized as a sophisticated hybrid assault, combining a TCP ACK flood from approximately 5,000 different source IPs alongside a DNS reflection attack that utilized about 15,000 DNS servers to amplify the volume of malicious traffic. OVHcloud noted that despite the global nature of the attack, approximately two-thirds of the total packet influx originated from just four points of presence in the United States, three of which were situated on the West Coast. This concentration of traffic underscores the adversary’s capability to generate an enormous packet rate through limited peer connections, presenting significant challenges for targeted systems.

Since the beginning of 2023, OVHcloud has reported a notable surge in DDoS attacks, marked by both increased frequency and intensity. In fact, attacks exceeding 1 terabit per second (Tbps) have become almost routine. Sebastien Meriot, an executive at OVHcloud, highlighted a dramatic shift in the landscape of DDoS threats, noting that what were once rare occurrences have now transitioned to nearly daily assaults, with the highest bit rate observed during this timeframe reaching approximately 2.5 Tbps.

DDoS tactics have evolved, shifting from traditional flooding methods that overwhelmed bandwidth to innovative packet rate attacks aimed at overloading the packet processing capabilities of nearby network devices, such as load balancers. Data collected by OVHcloud illustrates a sharp uptick in attacks firing at a packet rate exceeding 100 Mpps, many of which have been traced back to compromised MikroTik Cloud Core Router (CCR) devices.

These routers represent a critical vulnerability, as they not only expose administration interfaces but often operate on outdated versions of their operating systems. Such outdated systems are prone to well-known vulnerabilities in RouterOS, which attackers may exploit, potentially utilizing the operating system’s Bandwidth Test feature to facilitate their attacks. Significantly, there are nearly 99,382 MikroTik routers currently accessible over the internet, raising substantial concerns among cybersecurity professionals.

Theoretical models indicate that seizing control of just 1% of these exposed MikroTik devices could enable attackers to launch layer 7 attacks generating traffic exceeding 2.28 billion packets per second (Gpps). Historically, MikroTik routers have been instrumental in constructing formidable botnets, including the infamous Mēris, and have even been leveraged in botnet-as-a-service schemes.

As the cybersecurity landscape shifts, experts are warning that the rise of such assaults may signal a new era for packet rate attacks. Meriot emphasized the potential implications for anti-DDoS infrastructure, raising the specter of botnets with the capability to issue billions of packets per second, thus challenging existing defenses.

In evaluating the attack through the lens of the MITRE ATT&CK framework, it appears that initial access through exploitation of vulnerable devices, persistence via compromised network elements, and privilege escalation could have been tactics employed by the attackers. As organizations continue to adapt to the evolving threat landscape, vigilance and robust cybersecurity measures remain imperative to defend against increasingly sophisticated DDoS threats.

As this alarming trend continues to develop, business owners must engage in proactive measures to secure their networks and systems. The confluence of emerging technologies and persistent threats reinforces the necessity for a strategic approach to cybersecurity, including regular system updates and comprehensive threat assessments.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *