French cloud computing provider OVHcloud revealed in the beginning of July 2024 that it had mitigated in April 2024 the largest ever distributed denial-of-service (DDoS) attack in terms of packet rate, amid an overall increase in DDoS attack intensity. This is just above the previous record of 809 million Mpps reported by Akamai as targeting a large European bank in June 2020.
The analysis of the malicious traffic revealed that most of the source IPs are known as Internet-facing MikroTik routers, specifically cloud core routers CCR1036-8G-2S+ and CCR1072-1G-8S+.
99% of the malicious traffic were TCP ACK flood, originating from around 5,000 source IPs. The remaining 1% was a DNS reflection attack that involved about 15,000 DNS servers, to amplify the traffic, which is not really efficient when trying to achieve high packet rate attacks.
The experts at OVHcloud speculate that the use of MikroTik devices in coordinated DDoS attacks might be due to the “Bandwidth test” feature in RouterOS, which allows administrators to test router throughput by crafting packets and performing stress tests. For versions after 6.44beta39, this feature uses all available bandwidth by default, potentially impacting network usability. Most of the offending IPs identified were running RouterOS v6.44 or above.
Read more about it here.