July 3, 2024 at 02:07PM
OVHcloud, a major European cloud services provider, successfully mitigated a record-breaking DDoS attack earlier this year, reaching 840 Mpps and stemming from compromised MikroTik network devices. The company has observed a trend of escalating attack sizes and frequency. The high processing power of MikroTik devices poses a significant threat, with potential for devastating botnet attacks.
Based on the meeting notes, here are the key takeaways:
1. OVHcloud mitigated a record-breaking distributed denial of service (DDoS) attack earlier this year, reaching an unprecedented packet rate of 840 million packets per second (Mpps), surpassing the previous record held by Akamai in June 2020.
2. The company has observed a general trend of increased attack sizes, with attacks exceeding 1 Tbps becoming more frequent and escalating to weekly and almost daily occurrences in 2024.
3. Multiple attacks sustained high bit rates and packet rates over extended periods in the past 18 months, with the highest bit rate recorded by OVHcloud during that period being 2.5 Tbps on May 25, 2024.
4. The attacks revealed the extensive use of core network devices, particularly Mikrotik models, which made the attacks more impactful and challenging to detect and stop.
5. OVHcloud identified compromised Mikrotik Cloud Core Router (CCR) devices, such as models CCR1036-8G-2S+ and CCR1072-1G-8S+, as the source of many high packet rate attacks. These devices were susceptible to attacks due to running outdated firmware and being exposed online.
6. The firm hypothesized that attackers might use MikroTik’s RouterOS’s “Bandwidth Test” feature to generate high packet rates, and they found nearly 100,000 Mikrotik devices that were reachable/exploitable over the internet, potentially making up targets for DDoS actors.
7. Due to the high processing power of MikroTik devices, even a small percentage of compromised devices could result in a botnet capable of generating billions of packets per second.
8. Despite warnings from the vendor to upgrade RouterOS to secure versions, many devices remained vulnerable to attacks for months, risking being enlisted in DDoS swarms.
9. OVHcloud has informed MikroTik of its findings, but they have not received a response.
These takeaways highlight the increasing severity and frequency of DDoS attacks, particularly those originating from compromised Mikrotik devices, and the challenges posed in mitigating such attacks. It also emphasizes the need for improved security measures and proactive responses from vendors and organizations to address these vulnerabilities.