The Pirate: Caribbean Hunt – FAQ and Guide

The instruction manual of this "IRGE PIRATE: Caribbean Hunt" often questions the gameplay mechanism and the individual of the game. This instructions include gold acquisition, fleet expansion, and almost everything else.

Can I lose a premium ship?

No, if you lose the battle or the premium ship is handed over to AI management, the ship will be generated at the port of Cabo de la Vel.

How do I find the treasure maps, what I can find on treasure island?

The treasure map can be found in the open world. You can find a surviving ship, a sinking ship, abandoned ghost ships, declared treasure chests, and the captain of the captured ship. To find a treasure map and check the location of the treasure island, open the Diet, go to the "Review" section, move to the "Treasure Map" tab, and select "Display on the Map". Hojima can only be found by sailing in the open world. Next, if you get a treasure map, you need to study the peninsula.

The treasure map can be found in the open world. You can find a surviving ship, a sinking ship, abandoned ghost ships, declared treasure chests, and the captain of the captured ship. To find a treasure map and check the location of the treasure island, open the Diet, go to the "Review" section, move to the "Treasure Map" tab, and select "Display on the Map". Hojima can only be found by sailing in the open world. Next, if you get a treasure map, you need to study the peninsula.

The treasure found on the peninsula is random. You can get it

• gold
• drawing
• Map of another treasure island.

Can I capture the pirate ships?

Pirate ships cannot be captured during missions at the port or during a conference with the Allied forces when teleporting from the port to the port, but can be captured while bathing in the open world.

How to locate hidden ports?

The smuggler's hidden port and the premium port (can be purchased cheaply at the premium shop in the total city pack) can be found by swimming in the open world. To discover, we recommend that you swim closer to the Continent, Islands, and Rivers in Brazil.

How to find blueprints and build ships from them?

You can collect the drawings of the ship in the open world and build it on your base. Construction requires 100 % drawing. You can collect rubies, do daily tasks, receive rubies as any time in mult i-user tournaments, or purchase at a premium shop, so you can create crew members who help collect fragments on drawings.

To find the drawing, swim to the coast and see the debris of the ship. When you stop on a broken ship, your team will start searching for drawings.

If you want to build a ship, you need to build a shipyard in your port. (Can be built in the city).

If you have a port, select the "Refer" button from the upper left menu button and the "drawing" button.

Select the ship you want to build and click the "Build SHIP" button.

What is the letter of marque?

The flag can only be listed after purchasing a certificate from the required civilization. To do this, sail to the desired civilization port, open a distribution station, select an empty flag, and buy a charter. The national flag is only available according to the game schedule, and its origin is displayed next to the reputation list civilization.

In the same way, it is possible to change the mary loger, which is actually higher, but in this case it can only be used if the chosen flag sinks the pirate ship and gains the right to raise the flag.

Note: By selecting the "Histing the Flag for All Musts" options, you can raise the flag only once for all masts.

Ship spawning basics

The ship is randomly found in the published world. All possible ships can be unlocked by i n-game currency by purchasing extended cards available at port shops. Premium ships on premium shops and premium tabs in ship books cannot be seen in the published world and cannot be purchased in i n-game currency at the port.

Only a few military ships and private ships can be conquered or purchased in i n-game currency at the port.

How do I find [name of the ship] in the open word?

The boat that appears in the mission, the boat encountered in the published world, the creation of a design drawing, and treasure maps do not depend on the current game world area. That level depends on the number of cards you have. The larger the number of cards, the easier the ship will appear. The best ship is noticeable when you open the coast of Panama. Invention of other habitat does not affect the emergence of ships. When expanding the map, keep in mind that your opponent's complexity will increase.

Map order

• Windoward Islands
• Puerto Rico
• Hispanola
• Bahamas
• Florida
• Cuba
• Panama coast
• Yukatan
• Louisianana
• Mexico coast
• Brazil coast

How to capture the ship?

All ships discovered in the published world can be conquered. In order to conquer a ship, we recommend arrest a certain number of ships so that the smallest crew can swim.

Methods of capture

To conquer the ship by boarding, you need the experience of Corsair Captain. As you approach the appropriate ship, a hook icon is displayed in the field of view, and when you click it, a mini game "Bodying" appears. Click the icon to destroy the crew of the ship.

Another method: Bring a grapshot, shells and bombs, use a normal cartridge to destroy only one side of the hull, then switch to a grapshot to destroy the team.

Sailing tips and recommendations/requirements

To control two or more ships, you need to acquire the captain and the Admiral 1 and 2 skills.

Voyage requires technology and knowledge. To maximize the potential of the ship, we recommend that you completely modernize your ship.

It is also a good idea to use rum to increase the movement speed and damage it.

Also, learn how to use sails. You can turn faster by opening and closing according to the wind or opening and closing against the wind. In addition, using a turn lock arrow near the handle makes it easier to turn.

Navigate the open world using a compass.

Be careful of the direction of the wind and the angle of the ship. This is always useful for turning and speed.

Ship repair tips and requirements

These repairs can only be performed in Battle Sails mode.

Hull repair

To repair a distorted hull, you need the experience of Captain Axman and you must have wood on the ship.

Sail repair

To repair the distorted sails, you need the captain's experience and sail on the boat.

Cannon repair

To repair the damaged gun, you need to own the experience of the captain's "Quarter Master" and a gun on the boat.

Note: These items can be purchased at the port shop.

Repair kits

Again, the repair method is the introduction of the repair kit. These kits can be obtained by watching video clips, playing daily bonus games, exchanging them with skill points, and sometimes acquired as credit when playing in multiplayer tournaments. The kit can be purchased from Premium Shop's deadmans chest, treasure chest, or individual wholesale pack. Currently, weapons are not repaired.

Attacks on ports and ships and introduction of ammunition

Accuracy depends on distance and aiming ability. There is a captain skill to improve these functions.

Mortars

Ammunition is considered necessary for sel f-defense and is important to neutralize the fort when attacking the port. The mortar is very useful for sinking the ship. To use a mortar, you need to equip the ship's upgrade with a mortar and mount a bomb on your ship. In Battle Sails mode, the mortar firing button is only on the mortar selection button. The shooting target can be changed by pressing the button on the shooting button.

Cannon Balls

Standard ammunition is used in single or double charge to damage the hull. Note that the double charge weapon has a short range and the reload time is longer, but the damage is doubled.

Chain Balls

Standard ammunition used to damage a ship's sails is effective in immobilizing it.

Grapeshots

Standard ammunition used to kill a ship's crew is effective in capturing it.

Bombs

Standard ammunition is used as mortar ammunition, but is extremely effective as standard cannon ammunition. Keep in mind that bombs used as cannon ammunition have a short range and a long reload time.

Oil

This is a special ammunition. To use this ammunition you need to have the captain skill "Scorcher". This ammunition is very useful in several ways and is simply fun to use.

Gun Powder

This is also a special ammunition. To use this ammunition you need the captain skill of Trap Master. It is very effective in damaging the hull of a ship. But be careful, it can be a double-edged sword if the enemy shoots you close to the ship while you are dropping it!

Earning gold coins (in-game currency)

• Harbor Attack - Earn 5. 000 Gold Coins.
• Conquer and sell ships and their supplies, including pirate ships, individually in the open world.
• Perform smuggler jobs in ports and on the map.
• Buy cargo cheap and sell it high. They are indicated by red and green icons next to the ports on the map. Be sure to read the port news to find out which cargoes are rare.
• The best way to collect gold is to keep the crew level at a minimum on ships that you do not use regularly. Make sure you have the minimum maintenance staff to prevent your ship from being damaged.
• When traveling in the open world, pay your weekly crew less frequently. When using this method of sailing, pay attention to the time it takes to sail from port to port. If you are sailing long distances, pay a week's crew fee.
• Collect rubies by doing daily quests, getting them as rewards in multiplayer tournaments, or buying them in the premium shop, and if you have not yet created a merchant guild, visit your bases regularly to sell the items you produce in your buildings. Remember that it is easier to have at least one sloop at each base and pay the crew than to go from port to port to recruit crew. Go around each base in this way.
• Construct and upgrade all the available buildings in your base. In the Premium Store, you can purchase a premium pack called Pile O Houses, which will increase the amount of gold you earn.
• You can also earn gold and experience by playing PVE and PVP in multiplayer mode.
• There are many missions available in the port and on the maps, and you can earn gold by completing them.
• Collect treasure maps and find treasures. The treasure increases by 200 coins for each ending.
• Find a hidden gate for smuggling and get 3000 gold coins to keep the place secret.
• Don't forget that you are a pirate, rob, rob, steal!

Reputation

Nation Reputation

If the reputation in each country is good, the price of docking will be cheaper. When trade with this civilization and supplies, the letter that carries it will increase the price of the port, for example, in the open world, the union civilization will support you, but you can help you in the case of an attack. 。 The aggressive attack on the port will reduce your reputation as your pirate in this civilization and will not be able to enter the port. However, don't worry, you can buy Palor and trade with this civilization, so you can restore the lost reputation.

Smuggler Reputation

The higher your reputation among smugglers, the more expanded you will pay for you. If you attack them or bring no cargo, your reputation will decrease. This experience is unlocked by equipping the captain with "smuggling" experience.

Captain Reputation

This spot is very important. The higher your reputation, the more crews you can find in the harbor. The salary to the crew will be cheaper, the cost of hiring will be cheaper, and you will not be rioted against you. The team's resale refusal and the crew's early labor committee lower your reputation, and as a result, they ignore them.

Ferryman Reputation

This place will increase the amount you need to pay for you to transport passengers from the port to the port. It can be obtained by acquiring the experience of the captain "Ferryman".

Base siege

Protect your base and respond to your request. For this, the premium object "Basic Fortress" will definitely be useful. Correspondence is not yet essential, and the base will not be destroyed even if you do not respond.

The Rise of Packet Rate Attacks: When Core Routers Turn Evil

From the beginning of 2023, the number of DDOS attacks has increased rapidly. The fresh orientation was the highest attack on packet transfer speed. In this notebook, we will introduce our team's work results to give a new idea of ​​danger.

Introduction

The distributed attack, which resembles the service refusal (DDO), has been consistent for many years as an effective way to affect the availability of online services. In the past 10 years, a specific number of villains uses all types of vulnerabilities that affect the fishing of malicious software, IoT devices, video monitoring systems, or video monitoring systems on the same home router. It shows how to simply have any opportunity to collect the botnet support zombi e-device troops using the sweep range of the method.

These host botnets were used to carry out DDoS attacks by deploying 10, 000 hacking devices around the world. Attack templates were often similar; trying to achieve a highly probable bitrate (or packet transmission speed) in order to eliminate the target's network capacity, making it elementally possible. It was exactly in 2016 that the Mirai botnet generated more than 1 tbit/s (terabits per second) for the first time. Since then, botnets to some extent have been important for Mirai, reaching 3, 47 tbit/s in 2021. However, attacks of more than 1 tbit/s were very rare. Until recently.

Since the beginning of 2023, we have noticed a significant increase in the volume, frequency, instances and intensity of DDoS attacks. Since November of the same year, Ovhcloud's team has noticed a significant acceleration of the trend, where DDoS reaching more than 1 tbit/s were not considered as such, if they were episodic. Over the last year and a half, we have gone from rare attacks with speeds of over 1tbit/s to weekly and almost daily (weekly average) attacks. The highest data transfer rate we have investigated during this phase was 2. 5 Tbit/s.~The sketch of May 1, 2024: 25, in an attack of 1, 5tbits/s, which is the only gigantic data transfer rate ever recorded on ovhcloud - it was at its peak 2, 5tbits/s.

The sketch of May 1, 2024: 25, in an attack of 1, 5tbits/s, which is the only gigantic data transfer rate ever recorded on ovhcloud - it was at its peak 2, 5tbits/s.

The sketch of May 1, 2024: 25, in an attack of 1, 5tbits/s, which is the only gigantic data transfer rate ever recorded on ovhcloud - it was at its peak 2, 5tbits/s.

The sketch of May 1, 2024: 25, in an attack of 1, 5tbits/s, which is the only gigantic data transfer rate ever recorded on ovhcloud - it was at its peak 2, 5tbits/s.

Although the attack frequency has returned to normal as well, we are seeing a huge number of DDoS attacks with packet sending rates of 100MPP (millions of packets per second) and above.

Typically, the majority of DDoS attacks are based on sending large amounts of garbage data to reduce bandwidth (network-level attacks) or sending large amounts of application requests to use unnecessary microprocessors and memory (application-level attacks). Of course, there are other applicable methods. One of these is attacks based on packets and packet per second transmission rates.

What about packet rate attacks?

The goal of packet transmission rate attacks is not to limit the accessible bandwidth, but to overload the packet processing mechanisms of network devices close to the destination. The general idea is to disable infrastructure in front of the targeted service (load balancers, DDoS security systems, etc.), which can then be used to sidestep larger infrastructures. In simple terms, don't try to find holes in DDoS security systems, destroy them! Attacks against packet transmission rates are very effective because dealing with a large number of small packets is usually more difficult than dealing with fewer but larger packets. This is usually because it is more computationally expensive. For example, if you process packets using software, each packet does not simply mean more bytes, but at least one access to memory (uncounted copies, access to stored data in link tables, etc.). If you are using hardware, packet processing performance does not necessarily depend on packet transmission rate, but processing performance probably depends on other components such as memory (again!). In such a situation, it is more likely that some limit will be reached, either because it is very fast, or because there are simply not enough buffers to store everything, resulting in delays and poor performance. To put the problem in a nutshell: if your main task is to deal with payload, throughput can be a hard limit, but if your main task is to deal with packet headers, packet transfer rate is a hard limit.

For this reason, dealing with small packets is harder than dealing with large packets in most situations. In short, using large packets (1480 bytes) at 10GBT/s DDOS ATA will give you:

0, 85 Mbps:

By comparison, using the smallest packets (84 bytes per wire for Ethernet) at 10 Gbit/s will give you:~14, 88 MPPS:~At the standard MTU of the Internet (1500), you can put 17 times more packets on the wire by generating only the smallest packets than by generating large packets. To get an idea of ​​the computing power required in the fight against DDO, consider a communications channel that can accommodate a communication speed of 100GB/s. A linear speed of 149Mbps: This gives a maximum of 6 nanoseconds to process one packet, or 18 cycles for a single computer transporter running at a clock frequency of 3GHz. In other words, even with dozens of parallel conveyors, there are not many cycles available, especially when memory needs to be accessed.

Incidentally, this is one of the reasons why Ovhcloud builds its own network devices for DDOS infrastructure. We use a combination of FPGAs and user software (DPDK) to create the devices in a finished piece of equipment. Each network device used to counter DDoS attacks is developed, deployed and supported by us (like our other DDoS security systems, by the way!). Such an optimized approach allows us to fine-tune expectations and performance constraints and ensure device compliance.~DDoS attacks based on high packet forwarding rates are not new, and networks around the world have faced them at least once. For example, the best known high packet transmission rate attack was recorded by Akamai in 2020, which reached 809 MPP. But despite this number, the vast majority of packet transmission rate attacks never exceed 100 MPP. This is probably due to the fact that generating a large number of small packets is more difficult than large packets (it requires more computing resources and is similar to processing) and is harder to hide from network monitoring systems and protection from unauthorized access.

Attacks against packet transmission rates started to get serious attention from Ovhcloud two years ago.

The rise of (big) packet rate attacks

Average 700mpps

4 hours~Figure 2: At the time, this particular attack highlighted a significant improvement in the botnet's ability to generate ridiculous rates of packet transmission and sustain this rate for extended periods of time.~Figure 2: At the time, this particular attack highlighted a significant improvement in the botnet's ability to generate ridiculous rates of packet transmission with the ability to sustain this rate for extended periods of time.

Figure 2: At the time, this particular attack highlighted a significant improvement in the botnet's ability to generate ridiculous rates of packet transmission with the ability to sustain this rate for extended periods of time.

Figure 2: At the time, this particular attack highlighted a significant improvement in the botnet's ability to generate ridiculous rates of packet transmission with the ability to sustain this rate for extended periods of time.

Figure 2: At the time, this particular attack highlighted a significant improvement in the botnet's ability to generate ridiculous rates of packet transmission with the ability to sustain this rate for extended periods of time.

Sketch 3: Record of DDOS ATAKA that was prevented by OVHCLOD and reached 840 MPP~Sketch 3: DDOS ATAKA recorded by OVHCLOD and reached 840Mpp

99%of this attack is TCP ACK, about 5. In fact, 1%of surviving is an attack that reflects DNS, 15.

99%of this attack is TCP ACK, about 5. In fact, 1%of surviving is an attack that reflects DNS, 15. 99%of this attack is TCP ACK, about 5. In fact, 1%of surviving is an attack that reflects DNS, 15.

As a result, we needed to delve into this topic, as the number of maximum packet transfer speed attacks increased significantly. OVHCLOD, a larg e-scale clou d-based ISP, shows a large number of DDOS attacks every day, and in fact we have a special perspective on this topic. We understand how these attacks and where they come from, and from such a highly potential family of firefighters to our infrastructure and the best defense of buyers. Basically, I wanted to certify what we could arrange.~In the process of an analysis campaign to dissect 100 attacks with a packet rate of 100 to 500MPP, we have almost all attacks from the rationality that is not rational to send a large ratio of communal traffic. I noticed that it was done. We decided to create a list of general IP addresses that can generate at least 1 MPP and investigate in more detail.

We analyzed the best 70 IP addresses that provide IPs with packet forwarding rates of up to 14, 8 Mbit/s. These IP addresses belong mainly to Asian Autonomous Systems (AS), but also represent Europe, the Middle East, North America, and South America. These IPs seem to belong mainly to enterprise and cloud formation providers.

Figure 4: Distribution by location of AS 70 IP addresses that issued the most packets.

Unveiling evil core routers

To understand the devices that participated in these DDos, we used Onyph to determine whether these IP addresses were known. Most of these IP addresses are certainly known to be Mikrotik routers, and have messages on the Internet (at least one configuration web page).

Currently, we have a theory that this traffic may be generated by servers behind NAT-configured routers using fake IPs or strange TCP developments. However, we quickly dismissed these hypotheses, as it is unlikely that so many Mikrotik routers would be identified, since Mikrotik's market share is not proportionally large. Furthermore, the exposure of the management interface reflects a poor management method. This increases the attack surface of the device, potentially leading to an attacker's compromise. Additionally, Mikrotik's operating system, Routeros, has been plagued by several critical CVEs in recent years. Even if patches were released, these devices may not have been fixed until now.

Most devices have an open HTTP interface, so it is possible to fix the routeros version on these devices. Half of them use routeros versions up to 6. 49. 8 (released on May 23, 2023), and the other half - are under control of later versions. Routeros 6. 49. 14 (released on April 4, 2024) was identified.

Figure 5: Example of Mikrotik device participation in a high packet transmission rate attack identified by the OVHCLOD command.

Figure 5: Example of Mikrotik device participation in a high packet transmission rate attack identified by the OVHCLOD command.

Figure 5: Examples of Mikrotik devices participating in high packet forwarding rate attacks identified by the OVHCLOD team.

We were surprised to discover that devices with up-to-date firmware could potentially be compromised. To our knowledge, no vulnerabilities affecting Routeros versions 6. 49. 14 or later have been publicly disclosed. No vulnerabilities affecting versions 14 or later have been publicly disclosed. A possible explanation is that these devices were patched after being hacked.

We were surprised to discover that devices with up-to-date firmware could potentially be compromised. To our knowledge, no vulnerabilities affecting Routeros versions 6. 49. 14 or later have been publicly disclosed. No vulnerabilities affecting versions 14 or later have been publicly disclosed. A possible explanation is that these devices were patched after being hacked.

We were surprised to discover that devices with up-to-date firmware could potentially be compromised. To our knowledge, no vulnerabilities affecting Routeros versions 6. 49. 14 or later have been publicly disclosed. No vulnerabilities affecting versions 14 or later have been publicly disclosed. A possible explanation is that these devices were patched after being hacked.

Sketch 6: Identification of equipment for routers for cloud network core

Sketch 6: Specified crowdco alter

99,382 devices available on the Internet

Sketch 6: Identification of crowdco alter

The result was decoded in the Mikrotik CCR series, Cloud Core Router. In SNMP, CCR1036-8G-2S+and CCR1072-1G-8S+were returned a certain amount.

The result was decoded in the Mikrotik CCR series, Cloud Core Router. In SNMP, CCR1036-8G-2S+and CCR1072-1G-8S+were returned a certain amount. The result was decoded in the Mikrotik CCR series, Cloud Core Router. In SNMP, CCR1036-8G-2S+and CCR1072-1G-8S+were returned a certain amount.

Sketch 7: According to Onyphe, removal of devices held online.

Sketch 7: According to Onyphe, the device model of the device opened online.

In fact, both models of devices that participated in the packet rate attacks observed by COMMANDS-CCR1036-8G-2S+and CCR1072-1G-8S+did not suggest that 40. 000 devices were accessed online. I'm resentful. The CCR1036-8G-2S+is the most frequently encountered online 30. 976 instances, and CR1072-1G-8S+accounts for the fourth space in the identified devic e-9, 353-option. It is unknown which vulnerabilities have been used to violate these device models so far, so it is not known whether all CCR models will be infringed. Last but not least, online delay panels are still a big risk for device protection.

In fact, both models of devices that participated in the packet rate attacks observed by COMMANDS-CCR1036-8G-2S+and CCR1072-1G-8S+did not suggest that 40. 000 devices were accessed online. I'm resentful. The CCR1036-8G-2S+is the most frequently encountered online 30. 976 instances, and CR1072-1G-8S+accounts for the fourth space in the identified devic e-9, 353-option. It is unknown which vulnerabilities have been used to violate these device models so far, so it is not known whether all CCR models will be infringed. Last but not least, online delay panels are still a big risk for device protection. In fact, both models of devices that participated in the packet rate attacks observed by COMMANDS-CCR1036-8G-2S+and CCR1072-1G-8S+did not suggest that 40. 000 devices were accessed online. I'm resentful. The CCR1036-8G-2S+is the most frequently encountered online 30. 976 instances, and CR1072-1G-8S+accounts for the fourth space in the identified devic e-9, 353-option. It is unknown which vulnerabilities have been used to violate these device models so far, so it is not known whether all CCR models will be infringed. Last but not least, online delay panels are still a big risk for device protection.

Figure 8:2023 DDOS ATAK level 7 using Mikrotik devices recorded in November.

Even more evil models?

Figure 8:2023 DDOS ATAK level 7 using Mikrotik devices recorded in November.

In order to understand which router was involved, we collected 3, 000 IP addresses that participated in the attack. In the previous survey, about 700 IP addresses were identified as Mikrotik routers and opened the TCP/8291 port. However, at that time, we had not confirmed which device was involved.

In order to understand which router was involved, we collected 3, 000 IP addresses that participated in the attack. In the previous survey, about 700 IP addresses were identified as Mikrotik routers and opened the TCP/8291 port. However, at that time, we had not confirmed which device was involved. In order to understand which router was involved, we collected 3, 000 IP addresses that participated in the attack. In the previous survey, about 700 IP addresses were identified as Mikrotik routers and opened the TCP/8291 port. However, at that time, we had not confirmed which device was involved.

Figure 9: Identification of models by repeated participation of cloud coach.

Figure 9: identification of device models related to the Cloud Core Router router.

Figure 9: identification of device models that r e-invaded the Cloud Core Router router.

Figure 10: Distribution of CCR models participating in the fixed attack L7.

Figure 10: Distribution of CCR models participating in the fixed attack L7. Figure 10: Distribution of CCR models participating in the fixed attack L7. In order to impress the potential power of the botnet using such a device, we have decided to focus on wel l-confirmed bartrate attacks.

Roughly checking the confirmed device's ability, you can see that up to 28 Gbps (CCR1036-8G-2S+) or up to 80 Gbps (CCR1072-1G-8S+) can be processed. Regarding the packet rate, an almost theoretical packet rate is treated based on the bandwidth processing capacity. The following settings are possible as a precautions for the reader.

Up to 1, 5Mbps with 1Gbps channel. Depending on the ability of the device that processes the packet instead of simply forwarding the packet (this is usually performed by a CPU instead of ASIC), the number of packets per second that can be generated differs greatly, and the device can be generated. It may be much less than the number of packets per second. Furthermore, using the hardware of the infringed device to generate traffic is not a trivial matter. In most cases, the attacker tries to exploit only the slightly deviated embedded function from the CPU function or intended purpose.

Let’s do some math

This discussion assumes that network devices can process packets with 10%of their maximum capacity, and lead:

CCR1036-8G-2S+ should be able to generate 4 MPPS each.~CCR1072-1G-8S+should be able to generate 12Mbps respectively.

These estimated values ​​are considerably accurate compared to the selected model, but compared to the actual covered packet transfer tracks. For example, in the case of CCR1036-8G-2S+device, it is not difficult to generate 4 MPPS or more in 36 cores of 1, 2 GHz.

• Currently, anyone can use these devices to build a simple model of botnet. Assuming that 1 % of the device (any conservative value) of the device is jailbreaked, and focus on the first two models that we have identified as jail break, it will be as follows:
• Each is 300X CCR1036-8G-2S+ / 4 MPPS.

90x CCR1072-1G-8S+ / 12 Mpps each

Theoretically, such a botnet could generate 288 billion packets per second (or Gpps).

• ~We do not have enough data to make any substantial hypotheses regarding requests per second in L7 attacks. All we can say is that these devices are quite capable of performing L7 attacks or high packet rate attacks. Any attempt to estimate the potential capabilities of L7 is left to the reader's discretion.
• ~The evidence presented in this article points to an emerging trend: the use of compromised network core devices to perform powerful attacks. Even though MikroTik devices have already been used in DDoS attacks, there is still no evidence that these botnets relied on network core devices.

Any high-end server would be quite capable of generating packets of this size, but may be limited by the amount of bandwidth available in practice. Core devices are less affected by this statement due to their placement within the network. Core devices are usually connected to even larger devices via high-performance network connections. In addition, safeguards that network administrators use to detect anomalous behavior on their networks (such as servers launching DDoS attacks) can also be bypassed in this case, since routers are generally not susceptible to such countermeasures.

Depending on the number of compromised devices and their actual capabilities, this could open up a new era of packet attacks. Botnets could potentially deliver billions of packets per second, which could have a major impact on how we build and scale our DDoS defense infrastructure. We will no doubt take this emerging threat into account when considering how we build and scale our own DDoS defense infrastructure to ensure we remain immune to potential impacts.

Conclusion

In conclusion, the security of network devices is now an urgent issue. Since January 1, 2024, more than 10 critical CVEs have been released, affecting network devices from multiple manufacturers (Ivanti, Cisco, Fortinet, Palo Alto, etc.). Some of these were exploited before the CVEs were made public. However, this is the first time that core network devices have participated in a coordinated DDoS attack. This is of concern as the device identified in this case is designed for small to medium sized network cores and more powerful hardware is now available.

In conclusion, we have contacted MikroTik through various communication channels and informed them of the situation. MikroTik contacted us on 04-07-2024 and are currently investigating the possible causes.

We are also currently contacting various ASs and informing them of this issue.