June 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Gafgyt aka Bashlite Malware – Active IOCs
July 5, 2024
APT Group Gamaredon aka Shuckworm – Active IOCs
July 5, 2024
Gafgyt aka Bashlite Malware – Active IOCs
July 5, 2024
APT Group Gamaredon aka Shuckworm – Active IOCs
July 5, 2024
Severity
High
Analysis Summary
Earlier this year, OVHcloud, a leading global cloud services provider, mitigated a record-breaking DDoS attack that reached an unprecedented rate of 840 million packets per second (Mpps). This surpasses the previous record of 809 Mpps set by an attack on a European bank in June 2020.
The attack, which occurred in April 2024, involved a TCP ACK flood originating from 5,000 source IPs with two-thirds of the packets routed through just four Points of Presence (PoPs) in the United States. OVHcloud reported that these high packet rate attacks are becoming more frequent with attacks exceeding 1 Tbps now occurring almost daily.
The company has observed a significant increase in both the size and frequency of DDoS attacks since the beginning of 2023. Notably, the highest bit rate attack OVHcloud recorded was 2.5 Tbps on May 25, 2024. These attacks are often sustained over extended periods, making them particularly challenging to mitigate. OVHcloud's analysis revealed that many of these attacks exploited core network devices, especially Mikrotik routers which are known for their high performance and have become frequent targets for such exploits.
OVHcloud identified specific Mikrotik models such as the CCR1036-8G-2S+ and CCR1072-1G-8S+, as being commonly compromised. These devices, used in small to medium-sized network cores, often run outdated firmware making them vulnerable to attacks. Attackers are believed to use Mikrotik's "Bandwidth Test" feature to generate high packet rates. OVHcloud found nearly 100,000 Mikrotik devices exposed on the internet presenting a significant risk for DDoS botnet formation.
The cloud provider warned that even a small fraction of these compromised devices could create a botnet capable of generating billions of packets per second posing a severe threat to internet infrastructure. Despite multiple warnings from Mikrotik to update RouterOS for better security, many devices remain vulnerable. OVHcloud has reported its findings to Mikrotik but has not received a response highlighting an ongoing issue with the security of these high-performance networking devices.
Impact
- Denial of Service
- Operational Disruption
Remediation
- Regularly update firmware on all network devices, especially those identified as vulnerable, such as Mikrotik routers.
- Implement strict access controls to limit the exposure of network device interfaces on the internet.
- Use advanced DDoS mitigation services and solutions that can handle high packet and bit rate attacks.
- Conduct frequent security audits and vulnerability assessments on network infrastructure.
- Employ network segmentation to isolate critical infrastructure and reduce the attack surface.
- Increase monitoring and detection capabilities to quickly identify and respond to unusual traffic patterns.
- Collaborate with device manufacturers to address and patch security vulnerabilities promptly.
- Educate and inform users and administrators about the importance of timely updates and secure configurations.
- Implement robust firewall and intrusion prevention systems to filter malicious traffic.
- Develop and maintain an incident response plan to handle DDoS attacks effectively and minimize downtime.