Packet Rate Attacks
DDoS
Explore the alarming rise of packet rate DDoS attacks targeting network core dev...
### Packet Rate Attacks Escalate: Unmasking the Record-Breaking 840 Million PPS DDoS Attack on OVHcloud & MikroTik Router Exploits
Packet rate attacks, a potent form of Distributed Denial of Service (DDoS) attacks, have surged in frequency and intensity since early 2023. These attacks, unlike traditional DDoS attacks that saturate bandwidth, overwhelm network infrastructure by flooding it with smaller packets, often targeting and crippling load balancers and anti-DDoS systems.
#### Rise of Terabit-Scale DDoS Attacks
The escalation of DDoS attacks is evident in the increasing number of attacks exceeding 1 terabit per second (Tbps), which have transitioned from rare occurrences to near-daily events. OVHcloud, a leading cloud provider, [witnessed](https://blog.ovhcloud.com/the-rise-of-packet-rate-attacks-when-core-routers-turn-evil/) a peak of 2.5 Tbps during this period, underscoring the escalating threat posed by high-bandwidth attacks.
#### Understanding the Mechanics of Packet Rate Attacks
Packet rate attacks, or packets per second (PPS) attacks, differ from traditional bandwidth-focused DDoS attacks. Instead of flooding the target with massive amounts of data, PPS attacks send numerous smaller packets, aiming to overwhelm network devices' processing capabilities.
This can lead to disruptions and potential outages, especially in critical network infrastructure.
The effectiveness of packet rate attacks stems from the computational intensity of processing many small packets versus fewer large packets.
Each packet necessitates at least one memory access, increasing the processing load on network devices. In extreme cases, insufficient buffer space can cause latency issues and performance degradation.
# Illustrative example of packet rate impact:
# Scenario 1: 10 Gbps attack with large packets (1480 bytes)
packet_size = 1480
bandwidth = 10 * 10**9 # 10 Gbps in bits per second
pps = bandwidth / (packet_size * 8) # Convert to bytes and calculate PPS
print(pps) # Output: ~850,000 PPS
# Scenario 2: 10 Gbps attack with small packets (84 bytes)
packet_size = 84
pps = bandwidth / (packet_size * 8)
print(pps) # Output: ~14,880,000 PPS
While high packet rate DDoS attacks aren't new – the highest publicly known attack reached 809 Mpps in 2020, reported by [Akamai](https://www.akamai.com/blog/news/largest-ever-recorded-packet-per-secondbased-ddos-attack-mitigated-by-akamai) – they've recently escalated in frequency and intensity, with OVHcloud experiencing a significant 700 Mpps UDP flood two years ago, further highlighting the growing threat of such attacks.
#### OVHcloud's Record-Breaking 840 Million PPS DDoS Attack
In April 2024, OVHcloud mitigated an unprecedented 840 million PPS DDoS attack primarily using MikroTik routers. This TCP ACK flood from ~5,000 source IPs, supplemented by a DNS reflection attack using ~15,000 DNS servers, was globally distributed, yet two-thirds of traffic entered through just four U.S. PoPs. This concentration challenges traditional assumptions about traffic distribution and raises significant concerns for DDoS mitigation.
***Massive DDoS attack mitigated by OVHcloud reaching 840 Mpps***
#### MikroTik Routers & RouterOS Vulnerabilities
Analysis revealed that many high packet rate attacks originated from compromised MikroTik Cloud Core Routers (CCRs).
OVHcloud identified ~99,382 accessible MikroTik routers, many running outdated and vulnerable RouterOS versions.
***Onyphe found 99k+ exposed MikroTik devices***
Compromised models like [CCR1036-8G-2S+](https://mikrotik.com/product/CCR1036-8G-2Splus#fndtn-specifications) and [CCR1072-1G-8S+](https://mikrotik.com/product/CCR1072-1G-8Splus#fndtn-specifications) can generate substantial packet rates, estimated at 4 million and 12 million PPS respectively.
### Exploiting the "Bandwidth Test" Feature
RouterOS's "Bandwidth Test" feature, intended for throughput testing, is a potential avenue for exploitation. In versions after 6.44, it utilizes all available bandwidth by default, potentially impacting network usability and aiding attackers.
#### Widespread Vulnerability and Potential Impact
The vast number of exposed MikroTik CCRs (~99,382) underscores the threat's scale. Models involved in attacks accounted for at least 40,000 devices, highlighting the need for urgent action.
A theoretical calculation by OVHcloud, assuming a 1% compromise rate and focusing on the two most common models, estimated a potential [botnet](https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation) of ~300 CCR1036-8G-2S+ and ~90 CCR1072-1G-8S+ devices could generate a staggering 2.28 billion PPS. The potential for layer 7 attacks using these devices remains unknown.
#### Implications for DDoS Mitigation
The rise of packet rate attacks using compromised network core devices like MikroTik routers has significant implications for DDoS mitigation. The ability to generate billions of PPS could overwhelm defenses, necessitating a reevaluation of anti-DDoS strategies. OVHcloud is actively adapting its infrastructure, incorporating FPGA and DPDK-based appliances, to address this evolving threat.
Additionally, the MikroTik compromise is not an isolated incident. Numerous critical vulnerabilities in network devices from various vendors have emerged, painting a concerning picture for network security. The sophistication of attacks and widespread exposure of vulnerable devices demand immediate action to protect the broader cybersecurity landscape.
#### Urgent Need for Proactive Security in the Face of Evolving DDoS Threats
While [MikroTik devices have participated in DDoS attacks before](https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/), this is the first evidence suggesting botnets are utilizing network core devices for such attacks.
The rise of high packet rate DDoS attacks and the exploitation of network core devices like MikroTik CCRs mark a new era in DDoS warfare. The ability to generate billions of packets per second poses a significant challenge to cybersecurity. As defenders strive to adapt and strengthen their defenses, securing network devices and addressing vulnerabilities is paramount.
In this ever-evolving threat landscape, vigilance, collaboration, and proactive security measures are crucial for safeguarding critical network infrastructure. By addressing the exposure of administration interfaces, the use of outdated software, and the potential for exploitation of legitimate features, we can collectively mitigate the risks posed by these advanced DDoS attacks.
