Carpet-Bombing DDoS Attacks: The Evolving Threat to Networks

Carpet-bombing DDoS attacks are a growing concern for network operators. Their ability to circumvent traditional defenses and cause widespread disruption has led to a new age of attack methodologies. This strategy, first observed by NETSCOUT ASERT in 2016, has quickly become a formidable tool in the arsenal of cyber adversaries. Unlike conventional attacks that target individual IP addresses, Carpet-Bombing DDoS attacks inundate entire CIDR blocks, cloaking their malicious intent in a veil of complexity and making detection and mitigation a difficult task for defenders.

Carpet-bombing DDoS attacks, or Spread Spectrum, Subnet DDoS attacks as they are also known, exploit the very fabric of the internet’s infrastructure to sow chaos. By dispersing attack traffic across broader subnets or supernets, attackers not only evade traditional detection systems that rely on packets-per-second (pps) and/or bits-per-second (bps) thresholds but also obscure the true target of their assault. This subterfuge is further compounded by the utilization of well-known reflection/amplification vectors such as DNS, NTP, and TCP reflection/amplification, making these attacks not just insidious but also remarkably potent.

Image: Netscout

The malevolence of Carpet-bombing attacks lies in their execution. Traditional DDoS assaults hammer away at a singular IP address with the mightiest onslaught they can muster, a tactic that, while effective, has become easier to detect and counter. Carpet-bombing, however, employs a divide-and-conquer strategy, distributing a massive attack, say 100 Gbps, across 1,000 hosts. This results in a deceptive trickle of 12.5 Mbps of traffic to each host, skirting detection thresholds yet still inundating the network with the same total volume of traffic. While not every host may be directly affected, the collective impact can cripple entire netblocks, causing widespread degradation or outages.

Interestingly, the majority of Carpet-bombing attacks are ephemeral, with 90% lasting no more than a minute. This brevity is likely a bid to stay under the radar, coupled with the economics of DDoS-for-hire services that favor short, sharp shocks over prolonged sieges. Yet, the duration of these attacks can vary widely, with some persisting for up to 24 hours, underscoring the diverse tactics at the disposal of today’s cyber marauders.

According to data from NETSCOUT’s reflection/amplification honeypots, an average of 6,000 Carpet-Bombing DDoS attacks are observed daily, translating to over 400,000 attacks since July 2023.

Carpet-bombing DDoS attacks are a global scourge, impacting countries worldwide with varying intensity. In recent times, the United States, Brazil, Hong Kong, and China have borne the brunt of these assaults.

Carpet-bombing DDoS attacks pose a significant risk demanding a multi-pronged and adaptive defense strategy. By understanding the attack methodology, staying informed about emerging trends, and implementing the latest mitigation best practices, organizations can mitigate the impact of these complex attacks and enhance their overall cybersecurity resilience.