Cloud provider OVHcloud this week revealed that it had mitigated the largest ever distributed denial-of-service (DDoS) attack in terms of packet rate, amid an overall increase in DDoS attack intensity.
Packet rate DDoS attacks seek to overload the processing engines of the networking devices close to the target, essentially taking down the infrastructure in front of the victim, such as the anti-DDoS systems.
Packet rate DDoS attacks, the cloud provider explains, are highly effective as their mitigation requires dealing with many small packets, which is typically more difficult than dealing with less, albeit larger packets.
“We can summarize this problem into a single sentence: if your job is to deal mostly with payloads, bandwidth may be the hard limit; but if your job is to deal mostly with packet headers, packet rate is the hard limit,” OVHcloud notes.
Peaking at around 840 Mpps (million packets per second), the largest packet rate attack was registered in April this year, breaking the record that was set at 809 Mpps in 2021.
Even more worrying, however, is that OVHcloud has been observing a sharp increase in packet rate DDoS attacks above the 100 Mpps threshold over the past six months.
Typically, threat actors rely on DDoS attacks that focus on exhausting the target’s bandwidth (network-layer or Layer 3 attacks) or resources (application-layer or Layer 7 attacks), but the adoption of packet rate assaults is surging.
“We went from mitigating a few of them each week, to tens or even hundreds per week. Our infrastructures had to mitigate several 500+ Mpps attacks at the beginning of 2024, including one peaking at 620 Mpps. In April 2024, we even mitigated a record-breaking DDoS attack reaching ~840 Mpps,” OVHcloud says.
Most of the traffic used in the record attack, the cloud provider says, consisted of TCP ACK packets originating from roughly 5,000 IPs.
The company’s investigation revealed the use of MikroTik routers as part of the attack, specifically cloud core routers – namely the CCR1036-8G-2S+ and CCR1072-1G-8S+ device models. There are close to 100,000 CCR devices exposed to the internet, with the two models accounting for roughly 40,000 of them.
Should a threat actor be able to ensnare all these devices into a botnet, OVHcloud says, that botnet could theoretically generate 2.28 billion packets per second (or Gpps).
Following a steady increase in frequency over the past year and a half, large network-layer attacks are also a normal occurrence now, the cloud provider reports.
The Mirai botnet was the first to break the 1 Tbps (terabit per second) threshold in 2016, with 3.47 Tbps and 2.5 Tbps records set in 2022, DDoS attacks over 1 Tbps are run-of-the-mill now.
“In the past 18 months, we went from 1+ Tbps attacks being quite rare, then weekly, to almost daily (averaged out over one week). The highest bit rate we observed during that period was ~2.5 Tbps,” OVHcloud notes.
In October last year, the industry observed some of the largest Layer 7 DDoS attacks in history. Exploiting the ‘HTTP/2 Rapid Reset’ zero-day vulnerability, multiple record-breaking assaults were seen over the course of several days, with the largest peaking at 398 million requests per second (rps).
Related: Inside AWS’s Crusade Against IP Spoofing and DDoS Attacks
Related: Akamai Sees Europe’s Biggest DDoS Attack to Date
Related: Operator of ‘DownThem’ DDoS Service Sentenced to 24 Months in Prison
Related: Mēris Botnet Flexes Muscles With 22 Million RPS DDoS Attack
