Cloudflare reports record-breaking 3.8Tbps DDoS attack

Launched by a network of compromised devices spread across the globe

Internet infrastructure company Cloudflare says it has successfully mitigated the largest publicly recorded distributed denial-of-service (DDoS) attack to date, peaking at massive 3.8 terabits per second (Tbps).

The month-long campaign targeted organisations in the financial services, telecommunications sectors and internet, Cloudflare disclosed.

"This attack campaign targets bandwidth saturation as well as resource exhaustion of in-line applications and devices," it added.

DDoS attacks typically rely on vast networks of compromised devices (botnets) or exploit amplification techniques to increase the impact of the attack.

The attack defended by Cloudflare consisted of over 100 hyper-volumetric DDoS assaults. The attack sought to overwhelm targets with massive amounts of data, with the aim of disrupting services and denying access to legitimate users.

Many of the attacks exceeded two billion packets per second (pps) and 3 Tbps, focusing on the network and transport layers of the target's infrastructure.

Cloudflare's researchers identified the source of the attacks to a network of compromised devices spread across the globe, with significant concentrations in Russia, Vietnam, Brazil, Spain and the US.

The threat actor leveraged a variety of infected devices, including Asus home routers, web servers, MikroTik systems and DVRs.

"The high packet rate attacks appear to originate from multiple types of compromised devices, including MikroTik devices, DVRs and Web servers, orchestrated to work in tandem and flood the target with exceptionally large volumes of traffic. The high bitrate attacks appear to originate from a large number of compromised ASUS home routers, likely exploited using a CVE 9.8 (Critical) vulnerability that was recently discovered by Censys," Cloudflare said.

The company successfully mitigated all DDoS attacks autonomously, including one that lasted 65 seconds and peaked at 3.8 Tbps.

The attackers primarily used the User Datagram Protocol (UDP) on a fixed port, a protocol known for its fast data transfers without requiring a formal connection.

Prior to this record-breaking attack, Microsoft held the record for mitigating a 3.47 Tbps attack.

That attack targeted an Azure customer in Asia in November 2021 and was followed by two more significant assaults in December 2021.

The November attack originated from approximately 10,000 sources across multiple countries and lasted for 15 minutes.

Linux DDoS vulnerability

In a recent report, cloud computing company Akamai warned that a series of CUPS vulnerabilities in Linux could be a potential vector for DDoS attacks. After scanning the internet for vulnerable systems, Akamai discovered that over 58,000 were exposed to DDoS attacks through the CUPS exploit.

Further testing demonstrated that hundreds of these vulnerable CUPS servers would repeatedly send requests back after receiving initial inquiries, with some continuing to do so endlessly in response to HTTP/404 errors.

CUPS, widely used on Linux and Unix-like systems, includes the cups-browsed daemon, which searches for network printers and makes them available for printing. If enabled, this daemon listens on UDP port 631 and allows remote connections to create new printers.

By exploiting vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) in the cups-browsed daemon and other CUPS components, attackers could create malicious PostScript Printer Description (PPD) printers and trick users into printing from them. This would execute malicious commands embedded in the PPD file on the vulnerable machine.

While patches are still under development, Red Hat has shared mitigation measures to disable the cups-browsed service and prevent it from starting on reboot. These measures can effectively break the exploit chain and protect systems from the vulnerabilities.