OVHcloud slammed with 840M PPS DDoS Attack via MikroTik Routers

July 6, 2024
1 min read



TLDR:

  • OVHcloud faced a record-breaking DDoS attack reaching 840 million packets per second in April 2024.
  • The attack combined a TCP ACK flood and a DNS reflection attack using MikroTik routers.

French cloud computing firm OVHcloud recently announced that they successfully mitigated a massive distributed denial-of-service (DDoS) attack in April 2024, reaching a packet rate of 840 million packets per second (Mpps). This attack broke the previous record of 809 million Mpps reported by Akamai targeting a European bank in June 2020.

The attack was a combination of a TCP ACK flood originating from 5,000 source IPs and a DNS reflection attack leveraging around 15,000 DNS servers to amplify the traffic. OVHcloud noted that 2/3 of the total packets entered from only four points of presence, located in the U.S. This incident highlights the adversary’s capability to send a huge packet rate through a few peerings, which can pose significant challenges.

OVHcloud has observed a notable increase in DDoS attacks both in frequency and intensity since 2023, with attacks exceeding 1 terabit per second (Tbps) becoming more common. The company has witnessed an increase in DDoS attacks using packet rates greater than 100 Mpps, with many stemming from compromised MikroTik routers.

These routers, numbering over 99,000 and accessible over the internet, run on outdated versions of the operating system, making them vulnerable to known security flaws in RouterOS. It’s suspected that threat actors are exploiting the Bandwidth test feature of the operating system to conduct attacks.

By hijacking just 1% of the exposed devices into a DDoS botnet, adversaries could theoretically launch layer 7 attacks reaching 2.28 billion packets per second (Gpps). MikroTik routers have been previously used to build botnets like Mēris and for botnet-as-a-service operations, indicating potential for more powerful attacks in the future.

The rise of packet rate attacks poses a new challenge for anti-DDoS infrastructures. OVHcloud’s Sebastien Meriot warned that botnets capable of issuing billions of packets per second could challenge the way DDoS defenses are built and scaled. This incident underscores the importance of addressing security vulnerabilities in networking devices to prevent such attacks in the future.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and