Cloudflare Thwarts Largest-Ever 3.8 Tbps DDoS Attack Targeting Global Sectors

Cloudflare has disclosed that it mitigated a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds.

The web infrastructure and security company said it fended off “over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (Tbps).”

The hyper-volumetric L3/4 DDoS attacks have been ongoing since early September 2024, it noted, adding they targeted multiple customers in the financial services, Internet, and telecommunication industries. The activity has not been attributed to any specific threat actor.

The previous record for the largest volumetric DDoS attack hit a peak throughput of 3.47 Tbps in November 2021, targeting an unnamed Microsoft Azure customer in Asia.

The attacks leverage the User Datagram Protocol (UDP) protocol on a fixed port, with the flood of packets originating from Vietnam, Russia, Brazil, Spain, and the U.S. These include compromised MikroTik devices, DVRs, and web servers.

Cloudflare said that the high bitrate attacks are likely emanating from a large botnet comprising infected ASUS home routers that are exploited using a recently disclosed critical flaw (CVE-2024-3080, CVSS score: 9.8).

According to statistics shared by attack surface management firm Censys, a little over 157,000 ASUS router models were potentially affected by the vulnerability as of June 21, 2024. A majority of these devices are located in the U.S., Hong Kong, and China.

The end goal of the campaign, per Cloudflare, is to exhaust that target’s network bandwidth as well as CPU cycles, thereby preventing legitimate users from accessing the service.

“To defend against high packet rate attacks, you need to be able to inspect and discard the bad packets using as few CPU cycles as possible, leaving enough CPU to process the good packets,” the company said.

“Many cloud services with insufficient capacity, as well as the use of on-premise equipment, are not sufficient to defend against DDoS attacks of this size, since the high bandwidth utilization that can clog up Internet links and due to the high packet rate that can crash in-line appliances.”

Banking, financial services, and public utilities are a hot target for DDoS attacks, having experienced a 55% spike over the past four years, per network performance monitoring company NETSCOUT. In the first half of 2024 alone, there has been a 30% increase in volumetric attacks.

The surge in frequency of DDoS attacks, primarily due to hacktivist activities targeting global organizations and industries, have also been coupled by the use of DNS-over-HTTPS (DoH) for command-and-control (C2) in an effort to make detection challenging.

“The trend of implementing a distributed botnet C2 infrastructure, leveraging bots as control nodes, further complicates defense efforts because it’s not just the inbound DDoS activity but also the outbound activity of bot-infected systems that need to be triaged and blocked,” NETSCOUT said.

The development comes as Akamai revealed that the recently disclosed Common UNIX Printing System (CUPS) vulnerabilities in Linux could be a viable vector for mounting DDoS attacks with a 600x amplification factor in mere seconds.

The company’s analysis found that more than 58,000 (34%) out of the roughly 198,000 devices that are accessible on the public internet could be enlisted for conducting DDoS attacks.

“The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added,” researchers Larry Cashdollar, Kyle Lefton, and Chad Seaman said.

“For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target. As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources.”

It’s estimated that there are about 7,171 hosts that have CUPS services exposed over TCP and are vulnerable to CVE-2024-47176, Censys said, calling it an underestimate owing to the fact that “more CUPS services seem to be accessible over UDP than TCP.”

Organizations are advised to consider removing CUPS if printing functionality isn’t necessary and firewall the service ports (UDP/631) in cases where they’re accessible from the broader internet.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.