OVHcloud Fends Off Record DDoS Attack: 840 Million Packets Per Second

  • Home
  • Industry News
  • OVHcloud Fends Off Record DDoS Attack: 840 Million Packets Per Second
DateJul 8, 2024

An alarming trend incybersecurityhas been revealed by global cloud service provider OVHcloud, exemplified by a DDoS attack that broke all previous records in April of 2024. An unprecedented attack with a peak throughput of 840 million packets per second (Mpps) was recorded by OVHcloud. This represents a notable increase in the complexity and intensity of DDoS attacks.

DDoS attacks have been a persistent threat, but the scale and frequency observed since November 2023 have been alarming, stated OVHcloud in a recently published blog article. High packet rate attacks, in particular, have increased dramatically. These attacks would differ from traditional DDoS attacks, which typically aim to saturate bandwidth or overload application servers. Instead, high packet rate attacks focus on overwhelming the packet processing engines of networking devices. This method targets the infrastructure supporting online services, including load balancers and anti-DDoS systems, by exploiting packet processing limitations.

The attack in April 2024 exemplified the severity of this new threat, stated OVHcloud. Reaching 840 Mpps, it far surpassed previous records, such as the 809 Mpps attack reported by Akamai in 2020. The OVHcloud team successfully mitigated the attack, but its sheer scale highlighted the growing capabilities of modern botnets.

This DDoS attack, predominantly composed of TCP ACK packets, originated from approximately 5,000 source IPs. Notably, a small fraction of the traffic also involved a DNS reflection attack, leveraging about 15,000 DNS servers. The distribution of the attack traffic was highly concentrated, with two-thirds of the packets entering through only four Points of Presence (PoPs) in the United States, three of which were on the west coast. This concentration of traffic challenged the common assumption that massive DDoS attacks would be more geographically dispersed.

Further investigation revealed that many of these high packet rate attacks were traced back to compromised core routers, specifically MikroTik devices. These routers, widely deployed within business ISPs and cloud connectivity providers, are valued for their robust capabilities. However, their broad deployment has also made them attractive targets for attackers.

Challenging Traditional Anti-DDoS Infrastructure

OVHcloud’s analysis, utilizing tools like Onyphe, identified nearly 100,000 MikroTik Cloud Core Router (CCR) devices exposed on the internet. These devices, often running outdated or poorly maintained firmware versions of MikroTik’s RouterOS, have become integral components of powerful botnets. The compromised routers are capable of generating immense packet rates, significantly contributing to the severity of these DDoS attacks.

The implications of these findings are profound. The use of compromised core network devices in DDoS attacks represents a new era of cyber threats, challenging traditional anti-DDoS infrastructure. Botnets leveraging these high-capacity routers can potentially generate billions of packets per second, demanding more robust and scalable defense mechanisms.

In response to these evolving threats, OVHcloud has enhanced its DDoS mitigation strategies. The company has developed custom networking appliances that combine userland software (DPDK) with FPGA technology, allowing for highly efficient and adaptable defense systems. This in-house approach enables OVHcloud to fine-tune its defenses against the increasing threat of high packet rate attacks.

Core Network Devices

The record-breaking attack in April 2024 would underscore the need for continuous innovation in cybersecurity. The involvement of core network devices in such attacks signals a shift in how cyber threats are orchestrated and the level of sophistication attackers can achieve. As botnets grow in capability, the importance of robust, scalable defenses becomes ever more critical.

OVHcloud is actively collaborating with MikroTik and other autonomous systems to address vulnerabilities and prevent further exploitation of network core devices. The companys proactive measures aim to enhance the security of its infrastructure and ensure the continued availability and integrity of its services.

In conclusion, the attack reaching 840 Mpps in April 2024 marks a significant milestone in the escalation of DDoS threats. The involvement of compromised core routers in these attacks presents a formidable challenge to the cybersecurity landscape. It would underscore the necessity for continuous advancement in defense strategies and close collaboration among industry stakeholders to safeguard vital online services against these increasingly sophisticated threats.

Leave a Reply