French cloud computing provider OVHcloud has successfully mitigated a distributed denial-of-service (DDoS) attack that set a new record for packet rate intensity.
The attack, which occurred in April 2024, reached an astounding 840 million packets per second (Mpps), surpassing the previous record of 809 Mpps reported by Akamai in June 2020.
Anatomy of the Attack
The record-breaking DDoS attack combined two techniques:
- A TCP ACK flood originating from 5,000 source IP addresses
- A DNS reflection attack leveraging approximately 15,000 DNS servers for traffic amplification
While the attack sources were globally distributed, OVHcloud noted that two-thirds of the packets entered through just four points of presence (PoPs), all located in the United States. Three of these PoPs were on the West Coast, demonstrating the attackers’ ability to concentrate an enormous packet rate through a limited number of peering points.
OVHcloud has observed a significant increase in the frequency and intensity of DDoS attacks since 2023. Sebastien Meriot, an OVHcloud representative, stated that attacks exceeding 1 terabit per second (Tbps) have become almost daily occurrences, with the highest observed bit rate reaching approximately 2.5 Tbps.
Packet Rate Attacks: A Growing Threat
Unlike traditional DDoS attacks that aim to exhaust available bandwidth, packet rate attacks focus on overloading the packet processing engines of networking devices near the target, such as load balancers. OVHcloud’s data reveals a sharp increase in DDoS attacks with packet rates greater than 100 Mpps over the past 18 months.
The MikroTik Connection
Many of these high-intensity attacks originate from compromised MikroTik Cloud Core Router (CCR) devices. With over 99,000 MikroTik routers accessible via the internet, these devices present a significant security risk.
Many run outdated versions of the RouterOS operating system, making them vulnerable to known exploits.
Threat actors are suspected of weaponizing the RouterOS Bandwidth test feature to launch these attacks. Estimates suggest that hijacking even 1% of the exposed devices into a DDoS botnet could potentially enable adversaries to launch layer 7 attacks reaching 2.28 billion packets per second (Gpps).
Historical Context and Future Implications
MikroTik routers have previously been used to build powerful botnets, such as Mēris, and have been implicated in botnet-as-a-service operations. The current trend suggests a potentially new era for packet rate attacks, with botnets capable of generating billions of packets per second.
Meriot warned, “This could seriously challenge how anti-DDoS infrastructures are built and scaled,” highlighting the need for cybersecurity professionals and organizations to adapt their defenses to this evolving threat landscape.