Cloudflare has revealed that it mitigated a record distributed denial of service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds.
A web infrastructure and security company said he fended off “more than a hundred hyper-volume L3/4 DDoS attacks for a month, many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (Tbps).”
Hyper-volume L3/4 DDoS attacks have been ongoing since early September 2024, the report said, adding that they targeted numerous customers in the financial services, Internet and telecommunications industries. The activity has not been attributed to any specific threat.
The previous record for the largest volume DDoS attack was set by a peak throughput of 3.47 Tbit/s in November 2021targeting an unnamed Microsoft Azure customer in Asia.
The attacks use the User Datagram Protocol (UDP) on a fixed port with a stream of packets originating from Vietnam, Russia, Brazil, Spain, and the United States. These include compromised MikroTik devices, video recorders and web servers.
Cloudflare said the high-bitrate attacks are likely coming from a large botnet containing infected ASUS home routers that are being exploited using a newly discovered critical flaw (CVE-2024-3080CVSS score: 9.8).
According to statistics According to attack surface management firm Censys, just over 157,000 ASUS router models were potentially affected by this vulnerability as of June 21, 2024. The majority of these devices are located in the US, Hong Kong and China.
The company’s ultimate goal, according to Cloudflare, is to exhaust the target’s network bandwidth and CPU cycles, thereby preventing legitimate users from accessing the service.
“To defend against high packet rate attacks, you must be able to inspect and reject bad packets using as few CPU cycles as possible, leaving enough CPU to handle good packets,” the company said.
“Many underpowered cloud services and the use of on-premise hardware are insufficient to protect against DDoS attacks of this size, as high bandwidth usage can clog Internet links and due to high packet rates that can cause embedded devices to fail.”
Banking, financial services and utilities are hot targets for DDoS attacks, experiencing a 55% spike in the past four years, according to network performance monitoring company NETSCOUT. In the first half of 2024 alone, volume attacks increased by 30%.
The surge in DDoS attacks, mainly due to hacking activities targeting global organizations and industries, has also been linked to using DNS-over-HTTPS (DoH) for command and control (C2) to make detection difficult.
“The trend toward implementing a distributed C2 botnet infrastructure that uses bots as control nodes further complicates defense efforts because not only inbound DDoS activity, but also outbound activity from bot-infected systems must be screened and blocked.” — NETSCOUT said.
The development comes as Akamai revealed that recently disclosed Common UNIX Printing System (CUPS) vulnerabilities. on Linux can be a viable vector for mounting DDoS attacks with a 600x amplification factor in seconds.
The company’s analysis revealed that more than 58,000 (34%) of the approximately 198,000 devices available on the public Internet could be recruited to conduct DDoS attacks.
“The problem arises when an attacker sends a crafted packet specifying the target’s address as the printer to be added,” researchers Larry Cashdollar, Kyle Lefton, and Chad Seaman said.
“For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed to the specified target. As a result, not only the target is affected, but the CUPS server host also becomes a victim as the attack consumes network bandwidth and CPU resources.”
There are an estimated 7,171 hosts that have CUPS services exposed over TCP and are vulnerable to CVE-2024-47176, Censys saidcalling it an underestimate because “more CUPS services appear to be available over UDP than over TCP”.
Organizations are advised to consider removing CUPS when printing functionality is not required and to block the service’s (UDP/631) ports with firewalls where they are accessible from the wider Internet.
