Record-Breaking DDoS Attack: 840 Mpps Assault Unleashed!

DDoS attacks have grown significantly in frequency and intensity since 2023, exceeding 1 Tbps in bitrate. Previously rare, they are now almost daily, as the peak rate observed was 2.5 Tbps in May 2024. 

This coincided with the dismantling of the 911 S5 botnet, but a causal link is unconfirmed. While overall attack frequency seems to have decreased, a large number of DDoS attacks still occur, with packet rates exceeding 100 Mpps. 

on May 25th, 2024, a 1.5 Tbps attack directly followed by the biggest bit rate ever recorded at OVHcloud, 2.5 Tbps at peak

Packet rate attacks target the packet processing engines of network devices by overwhelming them with a high volume of small packets, which is effective because processing numerous small packets requires more computing resources than processing fewer large packets. 

Network devices typically have limited processing time per packet, and high packet rates can overload these devices even on high-bandwidth connections. To mitigate packet rate attacks, some network operators build custom DDoS mitigation appliances using FPGAs and userland software to achieve the necessary performance.

OVHcloud observed a significant rise in high packet rate DDoS attacks in the past 18 months, with attacks exceeding 100 Mpps becoming much more frequent, while the largest attack mitigated reached 840 Mpps, surpassing the previous record. 

The attack originated from only a few PoPs in the US, highlighting a potential weakness in DDoS mitigation strategies that assume geographically distributed attacks, while OVHcloud is investigating the source and methods behind these attacks to improve their mitigation capabilities. 

record-breacking DDoS attack mitigated by OVHcloud reaching 840 Mpps

Researchers analyzed high packet rate DDoS attacks and found a large portion of the traffic originated from a small number of sources with high packet rates per IP, which were traced back to MikroTik routers, many of which were running outdated RouterOS versions with known vulnerabilities. 

The exposed administration interfaces and the fact that most devices were not patched suggest these routers were compromised, and it is suspected that the compromised routers might be leveraging the “Bandwidth Test” feature in RouterOS to launch the attacks. 

distribution by locations of the AS of the top 70 IPs issuing the highest packet rates.

By analyzing publicly available devices using SNMP, researchers found almost 100,000 CCR devices exposed on the internet, with a significant portion running outdated RouterOS versions, which highlights the risk of core network devices being compromised and weaponized in DDoS attacks.

identification of the device models, with Cloud Core Router once again involved.

The capabilities of compromised MikroTik routers and estimated their potential impact on a botnet, by assuming that the routers could generate packets at 10% of their advertised capacity, resulting in 4 million packets per second (Mpps) for a specific model. 

Using this conservative estimate and assuming 1% of vulnerable devices are compromised, a botnet could theoretically generate 2.28 billion packets per second (Gpps), while the researchers did not have enough data to estimate the botnet’s capacity for launching Layer 7 attacks. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here