French cloud computing firm OVHcloud said it blocked a record-breaking distributed denial-of-service (DDoS) attack in April 2024. The attack reached an unprecedented packet rate of 840 million packets per second (Mpps), surpassing the previous record of 809 million Mpps reported by Akamai in June 2020.

The incident involved a dual-faceted attack comprising a TCP ACK flood originating from 5,000 source IPs and a DNS reflection attack using approximately 15,000 DNS servers to amplify traffic.

“Since the beginning of 2023, we noticed a sharp increase of DDoS attacks, both in frequency and intensity. Moreover, starting from November of the same year, a significant acceleration of the trend has been observed by our teams at OVHcloud: while DDoS reaching 1 Tbps or above were occasional, they aren’t anymore. In the past 18 months, we went from 1+ Tbps attacks being quite rare, then weekly, to almost daily (averaged out over one week). The highest bit rate we observed during that period was ~2.5 Tbps,” the company said.

Unlike typical DDoS attacks that overwhelm bandwidth with a flood of junk traffic, packet rate attacks aim to overload the packet processing engines of network devices close to the target, such as load balancers.

OVHcloud's data indicates a sharp increase in DDoS attacks leveraging packet rates greater than 100 Mpps during the same period, many originating from compromised MikroTik Cloud Core Router (CCR) devices.

Notably, 99,382 MikroTik routers are currently accessible over the internet. These routers, besides exposing an administration interface, operate on outdated versions of RouterOS, rendering them vulnerable to known security flaws. It is suspected that threat actors exploit the operating system's Bandwidth test feature to execute these attacks.

“We have been surprised to discover devices with a recent firmware being potentially compromised though. As far as we know, no vulnerability affecting RouterOS 6.49.14 and later versions have been publicly published so far. A possible explanation would be these devices may have been patched after their compromission,” OVHcloud noted in a blog post.