Record Breaking DDoS Attack 840 Mpps Attack Spotted


The DDoS attacks have evolved tremendously since 2016, with Mirai-like botnets setting new records.

Attack frequency and intensity increased notably in 2023, with 1+ Tbps attacks almost becoming daily by 2024.

Cybersecurity researchers at OVHcloud spotted record-breaking DDoS attacks of 840 Mpps and asserted that peaks of ~2.5 Tbps were also observed.

Record-Breaking DDoS Attack

The cyber attack’s drop corresponded to the dismantling of the 911 S5 Botnet in May 2024; however, whether it was causal remains unconfirmed.

Though attack frequency is now normal, high packet rate attacks (>100 Mpps) still thrive.

Attack scenarios can include a distributed denial of service (DDoS) attack via bandwidth or packet processing.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Rather than saturating the internet connection, packet rate attacks seek to flood the networking devices’ processing abilities.

These things make them effective, as it takes more computations to deal with many small packets than fewer larger ones.

For instance, a 10 Gbps attack involving an 84-byte packet would generate approximately 14.88 Mpps, compared to 0.85 Mpps with similar-sized packets of 1480 bytes.

This problem motivated OVHcloud to develop custom networking appliances based on FPGA and DPDK for DDoS mitigation efficiency.

High packet rate DDoS attacks have surged, with OVHcloud observing a record-breaking 840 Mpps attack in April 2024, OVHcloud observed.

Record Breaking DDoS Attack 840 Mpps Attack Spotted
peak of DDoS records

A study of the worst-performing IPs showed that MikroTik routers were responsible for most of them, and these devices usually had outdated firmware installed. 

These devices can generate up to 14.8 Mpps each and mainly belong to business ISPs or cloud providers in Asia.

The feature for “Bandwidth test” in RouterOS versions 6.44+ may be exploited in these types of attacks. 

Record Breaking DDoS Attack 840 Mpps Attack Spotted
Distribution by locations (Source – OVHcloud)

The new trend in DDoS is employing hacked network core devices, mostly MikroTik Cloud Core Routers (CCR).

The analysis revealed that over 99000 CCR devices were exposed online. These are CCR1036-8G-2S+ and CCR1072-1G-8S+, which can generate a maximum of 4 – 12 Mpps each.

Record Breaking DDoS Attack 840 Mpps Attack Spotted
Distribution of the device models (Source – OVHcloud)

If this were a hypothetical botnet using only one percent of these devices, it would theoretically have generated up to 2.28 Gpps.

Another incident involved routers within the same model used during a November 2023 L7 attack with a peak power of 1.2 million requests per second.

This is why shifting to core network devices presents numerous challenges for anti-DDoS infrastructures and raises grave security issues associated with network equipment.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files



Source link