OVHcloud has revealed new details about how it survived a staggering 840 million packets per second (Mpps) Distributed Denial of Service (DDoS) attack earlier this year.
In a new blog post, the company reports that it has observed that malicious actors are taking advantage of key network devices during these attacks, making the DDoS attacks much more powerful and difficult to mitigate.
Two Mikrotik models were named: the CCR1036-8G-2S+ and the CCR1072-1G-8S+. These were apparently used as small to medium network cores. Their interfaces were reportedly exposed online and they were running outdated firmware, making them a popular target for cybercriminals.
The Mēris botnet
OVHcloud said it saw nearly 100,000 Mikrotik devices connected to the wider internet, but it’s difficult to determine how many were compromised. The record-breaking DDoS attack originated from 5,000 source IPs, with two-thirds of the packets routed through just four Points of Presence (PoPs), all in the US.
Because these devices have high processing power (often having a CPU with 36 cores), even hijacking 1% of a botnet can potentially lead to DDoS attacks at a rate of 2.28 billion packets per second (Gpps).
The identity of the attackers, or the malware they used to assimilate these devices into the botnet, was not disclosed. In the writeup, BleepingComputer said that Mikrotik devices have been targeted in the past by the operators of the Mēris botnet.
The best way to protect yourself from this type of malware attack is to keep your devices updated with the latest firmware and software, and keep them away from the public internet if possible. Apparently, Mikrotik warned its users multiple times to upgrade RouterOS (the operating system that powers the devices) to a secure version, but many are still using an older and vulnerable version.
OVHcloud says it has reached out to the company with details about the findings, but has not yet received a response.