Cloud Service Provider OVHCloud Discloses Record-Breaking DDoS Attack with 5000 IPs Launching 840 Million Packets per Second
Brook.X
OVHCloud, one of the leading cloud computing providers in Europe, recently revealed a record-breaking Distributed Denial of Service (DDoS) attack, with a peak packet rate reaching 840 million per second.
Mpps stands for Million Packets per Second, a metric often used to describe the performance of network devices like switches. The attack in April 2024 saw a staggering 840 Mpps.
After investigation, OVH identified the approximate source of the attack and contacted the involved manufacturer, who has not responded as of the publication of this article.
Attributed to MikroTik Network Devices:
MikroTik, a well-known Latvian company in the network device industry, manufactures enterprise-level routers, switches, wireless access points, and more.
OVH found that the attacking source devices were MikroTik-manufactured cloud core router devices, which by default have their interfaces exposed online, making them easily discoverable by automated bots.
The lack of firmware updates led to vulnerabilities, allowing attackers to infiltrate these devices and use them for attacks. In reality, MikroTik's RouterOS offers a bandwidth test feature designed for enterprises to test network throughput.
Attackers could control some compromised devices and simultaneously use the bandwidth test feature to initiate concurrent requests, generating an enormous number of packets.
OVH contacted MikroTik, hoping the company would detect and alert customers to update their network device firmware to prevent vulnerabilities from being exploited long-term, enhancing security for businesses and reducing attacks on cloud providers like OVH.
However, MikroTik has not responded to OVH, and it's unclear if MikroTik plans to enforce firmware updates—unlikely, as upgrading firmware without customer consent on enterprise devices might cause interruptions and lead to more issues.
Attack Sources Originated from the USA:
The attack utilized 5000 source IPs for a TCP ACK attack, with two-thirds of the packets routed through only four Points of Presence (PoPs), all located within the USA, three on the West Coast.
The attacker's identity remains unknown, and OVH has not disclosed which industry the targeted customer belongs to. Typically, industries like gaming are prone to malicious attacks due to competition, raising questions if the targeted customer also belongs to the gaming industry.
