In a recent security disclosure, cloud provider OVHcloud revealed that it successfully mitigated a Distributed Denial-of-Service (DDoS) attack reaching an unprecedented 840 million packets per second (Mpps) in April 2024. This eclipses the prior record of 809 Mpps set in 2020 as reported by Akamai.

DDoS attacks aim to cripple a target system by overwhelming it with illegitimate traffic, making it inaccessible to legitimate users. In this instance, the perpetrators utilized a packet rate attack, strategically targeting the victim’s network infrastructure’s packet processing capabilities instead of solely saturating bandwidth. This tactic seeks to overload the target’s systems, potentially causing collateral damage to surrounding network components.

Historically, packet rate attacks haven’t breached the 100 Mpps threshold due to the substantial computational resources needed. However, OVHcloud has observed an alarming rise in such attacks exceeding 100 Mpps within the past 18 months, with occurrences escalating from a few per week to tens or even hundreds.

The record-breaking attack originated from a network encompassing 5,000 IP addresses. While OVHcloud withheld specifics regarding the intended target, they confirmed possessing sufficient internet capacity to effectively mitigate the assault.

During their investigation into the attack’s source, OVHcloud scrutinized various DDoS attacks ranging from 100 Mpps to 500 Mpps. This analysis led them to suspect a network of high-performance MikroTik routers, potentially compromised by the attackers to launch the DDoS barrage. MikroTik routers have documented vulnerabilities, and a concerning number operate with a user interface accessible via Hypertext Transfer Protocol (HTTP), leaving them susceptible to exploitation.
OVHcloud reported a significant increase in DDoS attacks since 2023, both in frequency and intensity. Attacks exceeding 1 terabit per second (Tbps) have become commonplace.

Sebastien Meriot of OVHcloud stated: “In the past 18 months, we saw a jump from 1+ Tbps attacks being rare occurrences to weekly events, and now they occur almost daily (averaged over a week). The highest bit rate we observed during this period was around 2.5 Tbps.” 

Sharp Rise in High-Volume Packet Rate Attacks

Data compiled by OVHcloud reveals a disturbing trend – DDoS attacks exceeding 100 Mpps have witnessed a significant surge in the last year and a half. Many of these attacks are traced back to compromised MikroTik Cloud Core Router (CCR) devices. A staggering 99,382 MikroTik routers are currently vulnerable due to being accessible over the internet.

These exposed routers not only have an unsecured management interface but also often run outdated versions of the RouterOS operating system. This combination makes them susceptible to known security exploits. It’s believed that attackers are potentially weaponizing the operating system’s built-in Bandwidth test feature to orchestrate these high-volume attacks.

Estimates suggest that compromising just 1% of these exposed routers and integrating them into a DDoS botnet could theoretically grant attackers the capability to launch Layer 7 DDoS attacks reaching a staggering 2.28 billion packets per second (Gpps). This scenario highlights the growing threat posed by vulnerable internet-connected devices and underscores the importance of robust cybersecurity practices.

MikroTik routers, known for their power and affordability, have become a favorite target for attackers building large botnets. These botnets, like the infamous Mēris, can be used to launch devastating DDoS attacks.

Security experts warn that these large botnets pose a serious threat to current anti-DDoS defenses. If attackers can compromise enough devices and leverage their combined power, they could unleash attacks measured in billions of packets per second. This unprecedented volume could overwhelm existing security measures, forcing companies to rethink how they build and scale their DDoS protection.