DDoS attacks have grown significantly in frequency and intensity since 2023, exceeding 1 Tbps in bitrate. Previously rare, they are now almost daily, as the peak rate observed was 2.5 Tbps in May 2024.
This coincided with the dismantling of the 911 S5 botnet, but a causal link is unconfirmed. While overall attack frequency seems to have decreased, a large number of DDoS attacks still occur, with packet rates exceeding 100 Mpps.
Packet rate attacks target the packet processing engines of network devices by overwhelming them with a high volume of small packets, which is effective because processing numerous small packets requires more computing resources than processing fewer large packets.
Network devices typically have limited processing time per packet, and high packet rates can overload these devices even on high-bandwidth connections. To mitigate packet rate attacks, some network operators build custom DDoS mitigation appliances using FPGAs and userland software to achieve the necessary performance.
OVHcloud observed a significant rise in high packet rate DDoS attacks in the past 18 months, with attacks exceeding 100 Mpps becoming much more frequent, while the largest attack mitigated reached 840 Mpps, surpassing the previous record.
The attack originated from only a few PoPs in the US, highlighting a potential weakness in DDoS mitigation strategies that assume geographically distributed attacks, while OVHcloud is investigating the source and methods behind these attacks to improve their mitigation capabilities.
Researchers analyzed high packet rate DDoS attacks and found a large portion of the traffic originated from a small number of sources with high packet rates per IP, which were traced back to MikroTik routers, many of which were running outdated RouterOS versions with known vulnerabilities.
The exposed administration interfaces and the fact that most devices were not patched suggest these routers were compromised, and it is suspected that the compromised routers might be leveraging the “Bandwidth Test” feature in RouterOS to launch the attacks.
By analyzing publicly available devices using SNMP, researchers found almost 100,000 CCR devices exposed on the internet, with a significant portion running outdated RouterOS versions, which highlights the risk of core network devices being compromised and weaponized in DDoS attacks.
The capabilities of compromised MikroTik routers and estimated their potential impact on a botnet, by assuming that the routers could generate packets at 10% of their advertised capacity, resulting in 4 million packets per second (Mpps) for a specific model.
Using this conservative estimate and assuming 1% of vulnerable devices are compromised, a botnet could theoretically generate 2.28 billion packets per second (Gpps), while the researchers did not have enough data to estimate the botnet’s capacity for launching Layer 7 attacks.