OVHcloud has revealed new details about how it managed to sruvive a dizzying 840 million packets per second (Mpps) Distributed Denial of Service (DDoS) attack earlier this year.
In a new blog post, the company said it observed threat actors using core network devices during these raids, making the DDoS attacks a lot more potent, and more difficult to combat.
It named two Mikrotik models – CCR1036-8G-2S+, and CCR1072-1G-8S+, apparently used as small-to-medium-sized network cores, which reportedly exposed their interfaces online, while running outdated firmware, making them a prime target for cybercriminals.
The Mēris botnet
OVHcloud said it observed almost 100,000 Mikrotik devices connected to the wider internet, but it’s difficult to determine how many are compromised. The record-breaking DDoS attack originated from 5,000 source IPs, with two-thirds of packets being routed through just four Points of Presence (PoPs), all in the US.
Since these devices come with high processing power (many have 36-core CPUs), even hijacking 1% into a botnet could potentially lead to a 2.28 billion packets per second (Gpps) DDoS attacks.
The identity of the attackers, or the malware they used to assimilate these devices into the botnet, was not disclosed. In its writeup, BleepingComputer said that in the past, Mikrotik devices were targeted by the operators of the Mēris botnet.
The best way to protect against this type of malware attack is to keep the devices updated with the latest firmware and software and, if possible, keep them away from the public internet. Apparently, Mikrotik warned its users, on multiple occasions, to upgrade RouterOS (the OS powering the devices) to a secure version, but many are still running an older and vulnerable version.
OVHcloud says it reached out to the company with details about its findings, but is yet to receive a response.
+ There are no comments
Add yours