OVHcloud says it has worked out who hit it with a record-breaking DDoS attack

News
By
published

Two Mikrotik models are being leveraged in the attacks

DDoS Attack
(Image credit: Shutterstock) (Image credit: Shutterstock)

OVHcloud has revealed new details about how it managed to sruvive a dizzying 840 million packets per second (Mpps) Distributed Denial of Service (DDoS) attack earlier this year.

In a new blog post, the company said it observed threat actors using core network devices during these raids, making the DDoS attacks a lot more potent, and more difficult to combat. 

It named two Mikrotik models - CCR1036-8G-2S+, and CCR1072-1G-8S+, apparently used as small-to-medium-sized network cores, which reportedly exposed their interfaces online, while running outdated firmware, making them a prime target for cybercriminals.

The Mēris botnet

OVHcloud said it observed almost 100,000 Mikrotik devices connected to the wider internet, but it’s difficult to determine how many are compromised. The record-breaking DDoS attack originated from 5,000 source IPs, with two-thirds of packets being routed through just four Points of Presence (PoPs), all in the US.

Since these devices come with high processing power (many have 36-core CPUs), even hijacking 1% into a botnet could potentially lead to a 2.28 billion packets per second (Gpps) DDoS attacks. 

The identity of the attackers, or the malware they used to assimilate these devices into the botnet, was not disclosed. In its writeup, BleepingComputer said that in the past, Mikrotik devices were targeted by the operators of the Mēris botnet.

The best way to protect against this type of malware attack is to keep the devices updated with the latest firmware and software and, if possible, keep them away from the public internet. Apparently, Mikrotik warned its users, on multiple occasions, to upgrade RouterOS (the OS powering the devices) to a secure version, but many are still running an older and vulnerable version. 

OVHcloud says it reached out to the company with details about its findings, but is yet to receive a response.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.