Analysis Summary

Cloudflare announced that it successfully stopped a distributed denial-of-service (DDoS) attack that lasted 65 seconds and reached a peak throughput of 3.8 terabits per second (Tbps).

The web infrastructure and security company reported that during the previous month, it successfully repelled more than a hundred hyper-volumetric L3/4 DDoS attacks, many of which exceeded 2 billion packets per second (Bpps) and 3 terabits per second (Tbps). Since early September 2024, there have been hyper-volumetric L3/4 DDoS attacks, the report stated, adding that they have targeted numerous clients in the financial services, Internet, and telecommunication sectors. No particular threat actor has been identified as the source of the activity.

Targeting an unidentified Microsoft Azure client in Asia, the previous record for the greatest volumetric DDoS attack peaked at 3.47 Tbps in November 2021. Utilizing the User Datagram Protocol (UDP) protocol on a dedicated port, the attacks originate from Vietnam, Russia, Brazil, Spain, and the United States of America. These include DVRs, web servers, and compromised MikroTik devices.

According to Cloudflare, a significant botnet made up of compromised ASUS home routers is most likely the source of the high bitrate attacks. This botnet is likely being used to exploit a recently discovered critical vulnerability (CVE-2024-3080, CVSS score: 9.8). Statistics released by an attack surface management company indicate that as of June 21, 2024, slightly more than 157,000 ASUS router models may have been impacted by the vulnerability. A majority of these devices are located in the U.S., Hong Kong, and China.

The campaign's ultimate objective is to deplete that target's CPU and network capacity, blocking authentic users from using the service. To protect yourself from high packet rate attacks, you must be able to process the good packets with enough CPU time left over after inspecting and discarding the bad ones. Many cloud services with insufficient capacity, as well as the usage of on-premise equipment, are not sufficient to fight against DDoS attacks of this size, since the high bandwidth utilization can clog up Internet links and due to the high packet rate can crash in-line appliances.

According to a network performance monitoring company, the number of DDoS attacks against banking, financial services, and public utilities has increased by 55% in the last four years, making these industries prime targets. Volumetric attacks have increased by 30% in just the first half of 2024. DDoS attacks have become more frequent, mostly as a result of hacktivist operations directed towards international organizations and companies.

To make detection more difficult, DNS-over-HTTPS (DoH) is being used for command-and-control (C2). Defense measures are made more difficult by the trend of deploying a distributed botnet C2 infrastructure that uses bots as control nodes. This is because, in addition to incoming DDoS activity, outgoing activity from bot-infected systems also has to be prioritized and stopped.

Impact

• Denial of Service
• Operational Disruption

Remediation

• Regularly update firmware on all network devices, especially those identified as vulnerable.
• Implement strict access controls to limit the exposure of network device interfaces on the internet.
• Use advanced DDoS mitigation services and solutions that can handle high packet and bit rate attacks.
• Conduct frequent security audits and vulnerability assessments on network infrastructure.
• Employ network segmentation to isolate critical infrastructure and reduce the attack surface.
• Increase monitoring and detection capabilities to quickly identify and respond to unusual traffic patterns.
• Collaborate with device manufacturers to address and patch security vulnerabilities promptly.
• Educate and inform users and administrators about the importance of timely updates and secure configurations.
• Implement robust firewall and intrusion prevention systems to filter malicious traffic.
• Develop and maintain an incident response plan to handle DDoS attacks effectively and minimize downtime.