Executive Summary

In October 2024, Cloudflare successfully thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at an unprecedented 3.8 terabits per second (Tbps). This attack, targeting multiple sectors such as financial services, Internet, and telecommunications, underscores the escalating threat landscape in cybersecurity. The attack, which lasted for 65 seconds, was characterized by hyper-volumetric Layer 3/4 assaults, with packet rates exceeding 2 billion packets per second (Bpps) and throughput surpassing 3 Tbps. This report delves into the technical intricacies of the attack, the vulnerabilities exploited, and the implications for cybersecurity defenses.

Technical Information

The DDoS attack leveraged the User Datagram Protocol (UDP) on a fixed port, with malicious traffic originating from compromised devices across Vietnam, Russia, Brazil, Spain, and the U.S. The attack was facilitated by a massive botnet comprising infected ASUS home routers, exploiting a critical vulnerability identified as CVE-2024-3080, which carries a CVSS score of 9.8. This vulnerability affected over 157,000 ASUS router models, predominantly located in the U.S., Hong Kong, and China. The botnet also utilized compromised MikroTik devices, DVRs, and web servers to generate the high bitrate attacks, aiming to exhaust the target's network bandwidth and CPU cycles, effectively denying service to legitimate users.

Despite the lack of direct reports of exploitation in the wild for CVE-2024-3080, the attack's scale and sophistication highlight the growing capabilities of threat actors. Cloudflare's defense strategy involved inspecting and discarding malicious packets efficiently to preserve CPU resources for processing legitimate traffic. The inadequacy of on-premise equipment and insufficient cloud services in handling such high-volume attacks was starkly evident.

The frequency of DDoS attacks has surged, with a 30% increase in volumetric attacks in the first half of 2024 alone. Hacktivist activities and the use of DNS-over-HTTPS (DoH) for command-and-control (C2) have further complicated detection efforts. The distributed botnet C2 infrastructure challenges defense mechanisms by necessitating the triage and blocking of both inbound and outbound botnet activity.

Akamai's analysis of Common UNIX Printing System (CUPS) vulnerabilities in Linux revealed potential vectors for DDoS attacks with a 600x amplification factor. Approximately 58,000 devices could be exploited for such attacks, with 7,171 hosts having CUPS services exposed over TCP and vulnerable to CVE-2024-47176.

Exploitation in the Wild

While there are no direct reports of exploitation in the wild for CVE-2024-3080, the attack utilized compromised MikroTik devices, DVRs, and web servers to generate high bitrate attacks. The primary objective was to exhaust the target's network bandwidth and CPU cycles, effectively denying service to legitimate users.

APT Groups using this vulnerability

Currently, there is no specific attribution to any Advanced Persistent Threat (APT) groups exploiting CVE-2024-3080. However, the attack's sophistication suggests involvement from well-resourced threat actors capable of orchestrating such large-scale DDoS attacks.

Affected Product Versions

The vulnerability CVE-2024-3080 affects over 157,000 ASUS router models, primarily located in the U.S., Hong Kong, and China. Additionally, compromised MikroTik devices, DVRs, and web servers were utilized in the attack.

Workaround and Mitigation

Organizations are advised to patch and update ASUS routers to mitigate CVE-2024-3080. Removing or firewalling CUPS services is recommended if printing functionality is unnecessary. Enhancing DDoS mitigation capabilities by leveraging cloud-based solutions with sufficient capacity to handle high packet rates and bandwidth utilization is crucial.

References

For further reading, please refer to the following sources: The Hacker News article on Cloudflare's mitigation of the 3.8 Tbps DDoS attack (https://thehackernews.com/2024/10/cloudflare-thwarts-largest-ever-38-tbps.html), Censys statistics on affected ASUS routers, and Akamai's analysis of CUPS vulnerabilities and their potential exploitation.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and proactive defense strategies. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com.