Explore the alarming rise of packet rate DDoS attacks targeting network core devices like MikroTik routers. Learn how a record-breaking 840 million PPS attack on OVHcloud exposed vulnerabilities

Continue reading
Packet rate attacks, a potent form of Distributed Denial of Service (DDoS) attacks, have surged in frequency and intensity since early 2023. These attacks, unlike traditional DDoS attacks that saturate bandwidth, overwhelm network infrastructure by flooding it with smaller packets, often targeting and crippling load balancers and anti-DDoS systems.
The escalation of DDoS attacks is evident in the increasing number of attacks exceeding 1 terabit per second (Tbps), which have transitioned from rare occurrences to near-daily events. OVHcloud, a leading cloud provider, witnessed a peak of 2.5 Tbps during this period, underscoring the escalating threat posed by high-bandwidth attacks.
Packet rate attacks, or packets per second (PPS) attacks, differ from traditional bandwidth-focused DDoS attacks. Instead of flooding the target with massive amounts of data, PPS attacks send numerous smaller packets, aiming to overwhelm network devices' processing capabilities.
This can lead to disruptions and potential outages, especially in critical network infrastructure. The effectiveness of packet rate attacks stems from the computational intensity of processing many small packets versus fewer large packets.
Each packet necessitates at least one memory access, increasing the processing load on network devices. In extreme cases, insufficient buffer space can cause latency issues and performance degradation.
packet_size = 1480 bandwidth = 10 109 # 10 Gbps in bits per second pps = bandwidth / (packet_size 8) # Convert to bytes and calculate PPS print(pps) # Output: ~850,000 PPS
packet_size = 84 pps = bandwidth / (packet_size * 8) print(pps) # Output: ~14,880,000 PPS
While high packet rate DDoS attacks aren't new – the highest publicly known attack reached 809 Mpps in 2020, reported by Akamai – they've recently escalated in frequency and intensity, with OVHcloud experiencing a significant 700 Mpps UDP flood two years ago, further highlighting the growing threat of such attacks.
In April 2024, OVHcloud mitigated an unprecedented 840 million PPS DDoS attack primarily using MikroTik routers. This TCP ACK flood from ~5,000 source IPs, supplemented by a DNS reflection attack using ~15,000 DNS servers, was globally distributed, yet two-thirds of traffic entered through just four U.S. PoPs. This concentration challenges traditional assumptions about traffic distribution and raises significant concerns for DDoS mitigation.

*Massive DDoS attack mitigated by OVHcloud reaching 840 Mpps*
Analysis revealed that many high packet rate attacks originated from compromised MikroTik Cloud Core Routers (CCRs).
OVHcloud identified ~99,382 accessible MikroTik routers, many running outdated and vulnerable RouterOS versions.

*Onyphe found 99k+ exposed MikroTik devices*
Compromised models like CCR1036-8G-2S+ and CCR1072-1G-8S+ can generate substantial packet rates, estimated at 4 million and 12 million PPS respectively.
RouterOS's "Bandwidth Test" feature, intended for throughput testing, is a potential avenue for exploitation. In versions after 6.44, it utilizes all available bandwidth by default, potentially impacting network usability and aiding attackers.
The vast number of exposed MikroTik CCRs (~99,382) underscores the threat's scale. Models involved in attacks accounted for at least 40,000 devices, highlighting the need for urgent action.
A theoretical calculation by OVHcloud, assuming a 1% compromise rate and focusing on the two most common models, estimated a potential botnet of ~300 CCR1036-8G-2S+ and ~90 CCR1072-1G-8S+ devices could generate a staggering 2.28 billion PPS. The potential for layer 7 attacks using these devices remains unknown.
The rise of packet rate attacks using compromised network core devices like MikroTik routers has significant implications for DDoS mitigation. The ability to generate billions of PPS could overwhelm defenses, necessitating a reevaluation of anti-DDoS strategies. OVHcloud is actively adapting its infrastructure, incorporating FPGA and DPDK-based appliances, to address this evolving threat.
Additionally, the MikroTik compromise is not an isolated incident. Numerous critical vulnerabilities in network devices from various vendors have emerged, painting a concerning picture for network security. The sophistication of attacks and widespread exposure of vulnerable devices demand immediate action to protect the broader cybersecurity landscape.
While MikroTik devices have participated in DDoS attacks before, this is the first evidence suggesting botnets are utilizing network core devices for such attacks.
The rise of high packet rate DDoS attacks and the exploitation of network core devices like MikroTik CCRs mark a new era in DDoS warfare. The ability to generate billions of packets per second poses a significant challenge to cybersecurity. As defenders strive to adapt and strengthen their defenses, securing network devices and addressing vulnerabilities is paramount.
In this ever-evolving threat landscape, vigilance, collaboration, and proactive security measures are crucial for safeguarding critical network infrastructure. By addressing the exposure of administration interfaces, the use of outdated software, and the potential for exploitation of legitimate features, we can collectively mitigate the risks posed by these advanced DDoS attacks.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.