OVHcloud, a global cloud services provider and one of the largest of its kind in Europe, says it mitigated a record-breaking distributed denial of service (DDoS) attack earlier this year that reached an unprecedented packet rate of 840 million packets per second (Mpps).
The company reports that it has seen a general trend of increased attack sizes starting in 2023, with those exceeding 1 Tbps becoming more frequent and escalating to weekly and almost daily occurrences in 2024.
Multiple attacks sustained high bit rates and packet rates over extended periods in the past 18 months, with the highest bit rate recorded by OVHcloud during that period being 2.5 Tbps on May 25, 2024.
Analyzing some of those attacks revealed the extensive use of core network devices, particularly Mikrotik models, making the attacks more impactful and challenging to detect and stop.
Record-breaking DDoS
Earlier this year, OVHcloud had to mitigate a massive packet rate attack that reached 840 Mpps, surpassing the previous record holder, an 809 Mpps DDoS attack targeting a European bank, which Akamai mitigated in June 2020.
“Our infrastructure had to mitigate several 500+ Mpps attacks at the beginning of 2024, including one peaking at 620 Mpps,” explains OVHcloud.
“In April 2024, we even mitigated a record-breaking DDoS attack reaching ~840 Mpps, just above the previous record reported by Akamai.”
The cloud services provider noted that the TCP ACK attack originated from 5,000 source IPs. Two-thirds of the packets were routed through just four Points of Presence (PoPs), all in the United States and three on the West Coast.
The attacker’s ability to concentrate this massive traffic through a relatively narrow spectrum of internet infrastructure makes these DDoS attempts more formidable and more challenging to mitigate.
Powerful Mikrotiks blamed
OVHcloud says many of the high packet rate attacks it recorded, including the record-breaking attack from April, originate from compromised MirkoTik Cloud Core Router (CCR) devices designed for high-performance networking.
The firm identified, specifically, compromised models CCR1036-8G-2S+ and CCR1072-1G-8S+, which are used as small—to medium-sized network cores.
Many of these devices exposed their interface online, running outdated firmware and making them susceptible to attacks leveraging exploits for known vulnerabilities.
The cloud firm hypothesizes that attackers might use MikroTik’s RouterOS’s “Bandwidth Test” feature, designed for network throughput stress testing, to generate high packet rates.
OVHcloud found nearly 100,000 Mikrotik devices that are reachable/exploitable over the internet, making up for many potential targets for DDoS actors.
Due to the high processing power of MikroTik devices, which feature 36-core CPUs, even if a small percentage of those 100k were compromised, it could result in a botnet capable of generating billions of packets per second.
OVHcloud calculated that hijacking 1% of the exposed models into a botnet could give attackers enough firepower to launch attacks, reaching 2.28 billion packets per second (Gpps).
MikroTik devices have been leveraged for building powerful botnets again in the past, with a notable case being the Mēris botnet.
Despite the vendor’s multiple warnings to users to upgrade RouterOS to a secure version, many devices remained vulnerable to attacks for months, risking being enlisted in DDoS swarms.
OVHcloud says it has informed MikroTik of its latest findings, but they have not received a response.