OVHcloud Attributes Record-Breaking DDoS Attack to MikroTik Botnet

By|
Admin
|
2024-07-05
|
Vulnerabilities

OVHcloud, a leading global cloud services provider and one of the largest in Europe, successfully mitigated a record-breaking distributed denial of service (DDoS) attack earlier this year. The attack reached an unprecedented rate of 840 million packets per second (Mpps).

The company has observed a general trend of increasing attack sizes since 2023, with attacks exceeding 1 Tbps becoming more frequent and escalating to weekly and nearly daily occurrences in 2024.

Over the past 18 months, multiple attacks have sustained high bit rates and packet rates over extended periods. The highest bit rate recorded by OVHcloud during this period was 2.5 Tbps on May 25, 2024. Analysis of these attacks revealed the extensive use of core network devices, particularly MikroTik models, making the attacks more impactful and challenging to detect and mitigate.

Earlier this year, OVHcloud mitigated a massive packet rate attack that reached 840 Mpps, surpassing the previous record of an 809 Mpps DDoS attack targeting a European bank, which Akamai mitigated in June 2020.

"Our infrastructure had to mitigate several 500+ Mpps attacks at the beginning of 2024, including one peaking at 620 Mpps," explained OVHcloud. "In April 2024, we even mitigated a record-breaking DDoS attack reaching ~840 Mpps, just above the previous record reported by Akamai."

The cloud services provider noted that the TCP ACK attack originated from 5,000 source IPs, with two-thirds of the packets routed through just four Points of Presence (PoPs), all in the United States and three on the West Coast. The attacker's ability to concentrate this massive traffic through a relatively narrow spectrum of internet infrastructure makes these DDoS attempts more formidable and challenging to mitigate.

OVHcloud reports that many of the high packet rate attacks it recorded, including the record-breaking attack from April, originated from compromised MikroTik Cloud Core Router (CCR) devices designed for high-performance networking. Specifically, compromised models CCR1036-8G-2S+ and CCR1072-1G-8S+ were identified, which are used as small-to-medium-sized network cores.

Many of these devices exposed their interface online, running outdated firmware and making them susceptible to attacks leveraging known vulnerabilities. The cloud firm hypothesizes that attackers might use MikroTik's RouterOS's "Bandwidth Test" feature, designed for network throughput stress testing, to generate high packet rates.

OVHcloud found nearly 100,000 MikroTik devices that are reachable/exploitable over the internet, representing many potential targets for DDoS actors. Due to the high processing power of MikroTik devices, featuring 36-core CPUs, even if a small percentage of these 100,000 devices were compromised, it could result in a botnet capable of generating billions of packets per second. OVHcloud calculated that hijacking 1% of the exposed models into a botnet could give attackers enough firepower to launch attacks reaching 2.28 billion packets per second (Gpps).

MikroTik devices have been used to build powerful botnets in the past, with a notable case being the MÄ“ris botnet. Despite the vendor's multiple warnings to users to upgrade RouterOS to a secure version, many devices remained vulnerable to attacks for months, risking being enlisted in DDoS swarms.