The DDoS attacks have evolved tremendously since 2016, with Mirai-like botnets setting new records.
Attack frequency and intensity increased notably in 2023, with 1+ Tbps attacks almost becoming daily by 2024.
Cybersecurity researchers at OVHcloud spotted record-breaking DDoS attacks of 840 Mpps and asserted that peaks of ~2.5 Tbps were also observed.
Record-Breaking DDoS Attack
The cyber attack’s drop corresponded to the dismantling of the 911 S5 Botnet in May 2024; however, whether it was causal remains unconfirmed.
Though attack frequency is now normal, high packet rate attacks (>100 Mpps) still thrive.
Attack scenarios can include a distributed denial of service (DDoS) attack via bandwidth or packet processing.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
Rather than saturating the internet connection, packet rate attacks seek to flood the networking devices’ processing abilities.
These things make them effective, as it takes more computations to deal with many small packets than fewer larger ones.
For instance, a 10 Gbps attack involving an 84-byte packet would generate approximately 14.88 Mpps, compared to 0.85 Mpps with similar-sized packets of 1480 bytes.
This problem motivated OVHcloud to develop custom networking appliances based on FPGA and DPDK for DDoS mitigation efficiency.
High packet rate DDoS attacks have surged, with OVHcloud observing a record-breaking 840 Mpps attack in April 2024, OVHcloud observed.
.png)
A study of the worst-performing IPs showed that MikroTik routers were responsible for most of them, and these devices usually had outdated firmware installed.
These devices can generate up to 14.8 Mpps each and mainly belong to business ISPs or cloud providers in Asia.
The feature for “Bandwidth test” in RouterOS versions 6.44+ may be exploited in these types of attacks.
.webp)
The new trend in DDoS is employing hacked network core devices, mostly MikroTik Cloud Core Routers (CCR).
The analysis revealed that over 99000 CCR devices were exposed online. These are CCR1036-8G-2S+ and CCR1072-1G-8S+, which can generate a maximum of 4 – 12 Mpps each.
.webp)
If this were a hypothetical botnet using only one percent of these devices, it would theoretically have generated up to 2.28 Gpps.
Another incident involved routers within the same model used during a November 2023 L7 attack with a peak power of 1.2 million requests per second.
This is why shifting to core network devices presents numerous challenges for anti-DDoS infrastructures and raises grave security issues associated with network equipment.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files