Cloud Services Provider Saw Large Increase in DDoS Attack Sizes in 2023 With Some Exceeding 1 Tbps
OVHcloud, one of the largest cloud service providers in Europe, recently revealed that it had to mitigate a massive DDoS attack earlier this year that reached an unprecedented packet rate of 840 million packets per second (Mpps), surpassing the previous record.
According to the company, it has observed a general upward trend in attack sizes starting from 2023, with attacks exceeding 1 terabit per second (Tbps) becoming more frequent, happening on a weekly or even daily basis in 2024. Some of the largest attacks sustained high bit rates and packet rates over extended periods during the past 18 months, with the highest bit rate recorded by OVHcloud on May 25, 2024 being 2.5 Tbps.
Record-Breaking DDoS Attack in April 2024 Peaked at Around 840 Million Packets Per Second
Upon analyzing some of these large attacks, OVHcloud discovered extensive use of compromised core networking devices, especially MikroTik routers, which made the attacks more potent and challenging to detect and mitigate. One such massive DDoS attack occurred earlier in April 2024, which the company had to mitigate after it peaked at a record-breaking rate of approximately 840 million packets per second.
The previous record was held by an attack against a European bank in June 2020 that was mitigated by Akamai and reached 809 Mpps. OVHcloud also mitigated several attacks exceeding 500 Mpps in early 2024, including one that peaked at 620 Mpps.
“Our infrastructure had to mitigate several 500+ Mpps attacks at the beginning of 2024, including one peaking at 620 Mpps,” explains OVHcloud.
According to the company, the record-breaking April 2024 attack originated from around 5,000 source IP addresses, with two-thirds of the packets concentrated through just four Points of Presence (PoPs) located in the United States, mainly on the West Coast.
Compromised MikroTik Devices Like CCR1036-8G-2S+ and CCR1072-1G-8S+ were Leveraged in Large DDoS Botnet
Upon investigation, OVHcloud discovered that many of the high packet rate attacks seen, including the April 2024 record-breaker, were sourced from compromised MikroTik Cloud Core Router devices. Specific vulnerable models identified included the MikroTik CCR1036-8G-2S+ and CCR1072-1G-8S+, which are used as small to medium-sized network cores.
These devices were found to have their management interfaces exposed online and running outdated firmware, making them susceptible to exploits for known vulnerabilities. Attackers were potentially leveraging MikroTik’s “Bandwidth Test” feature to generate extremely high packet rates.
An estimated 100,000 MikroTik routers were found to be Internet-accessible and exploitable. This vast number of compromised devices could theoretically be enlisted to form a botnet capable of launching multi-billion packet-per-second DDoS attacks.
OVHcloud informed MikroTik of its findings but did not receive a response. Left unsecure, these exposed networking devices continue enabling powerful record-breaking DDoS attacks online. Proper security precautions must be taken by organizations worldwide to help curb the threat of such dangerous cyberattacks powered by botnets of compromised IoT and networking equipment.