OVHcloud, a French cloud computing company, recently announced that it successfully mitigated a record-breaking distributed denial-of-service (DDoS) attack in April 2024. The attack reached a staggering packet rate of 840 million packets per second (Mpps), surpassing the previous record of 809 million Mpps reported by Akamai in June 2020.

The DDoS attack was a combination of a TCP ACK flood originating from 5,000 source IPs and a DNS reflection attack leveraging approximately 15,000 DNS servers to amplify the traffic. "While the attack was distributed worldwide, two-thirds of the total packets entered from only four points of presence, all located in the U.S., with three of them being on the west coast," OVHcloud noted.

The company has observed a significant increase in DDoS attacks in terms of both frequency and intensity since 2023. Attacks reaching above 1 terabit per second (Tbps) have become a regular occurrence. "In the past 18 months, we went from 1+ Tbps attacks being quite rare, then weekly, to almost daily," said Sebastien Meriot from OVHcloud.

Unlike typical DDoS attacks that aim to exhaust available bandwidth by sending a flood of junk traffic to targets, packet rate attacks work by overloading the packet processing engines of networking devices close to the destination.

Data gathered by the company shows a sharp increase in DDoS attacks leveraging packet rates greater than 100 Mpps. Many of these attacks are emanating from compromised MikroTik Cloud Core Router (CCR) devices. As many as 99,382 MikroTik routers, running on outdated versions of the operating system and exposing an administration interface, are accessible over the internet, making them susceptible to known security vulnerabilities.

It's estimated that even hijacking 1% of the exposed devices into a DDoS botnet could theoretically give adversaries enough capabilities to launch layer 7 attacks reaching 2.28 billion packets per second (Gpps). This could potentially usher in a new era for packet rate attacks, challenging how anti-DDoS infrastructures are built and scaled.

It's worth noting that MikroTik routers have previously been leveraged for building potent botnets such as Mēris and even used for launching botnet-as-a-service operations. "Depending on the number of compromised devices and their actual capabilities, this could be a new era for packet rate attacks," Meriot warned.