Understanding the Anatomy of Rapidly-Increasing Carpet Bombing DDoS Attacks

How they work, why they can be so devastating and how to better identify and automatically mitigate these attacks to minimize their impact

Gary Sockrider, Director of Security Solutions

August 10, 2023

3 Min Read
Creative image depicting colors speeding towards the light.
Getty Images

As a DDoS attack method, Carpet Bombing is not new, having existed for the better half of a decade. One of the more infamous attacks was in 2019 that targeted networks from France to South Africa. Unfortunately, Carpet Bombing has only grown since then. Often, these attacks are only given a passing mention in the overall scheme of DDoS attack methodologies. One of the primary reasons is that many security solutions are not equipped to deal with the sheer onslaught of such an attack.

Carpet Bombing attacks can impact tens of thousands of IP addresses. Most DDoS defenses protect specific assets, such as critical infrastructure and servers. However, Carpet Bombing takes a far more scattershot approach, which can potentially cause major business disruptions after attackers carry out their nefarious operations. 

This article will explore how Carpet Bombing attacks work, why they can be so devastating, and how to better identify and automatically mitigate these attacks, managing them with robust tools to minimize the impact across networks.

How Carpet Bombing Attacks Work

With Carpet Bombing, attackers target a range of addresses or subnets, which can contain hundreds or even thousands of destination IP addresses. The reason why they can wreak havoc so quickly is because they are difficult to detect. In addition, a Carpet Bombing attack can cause enormous amounts of collateral damage because many of the targeted addresses are neither monitored nor protected. The unfortunate and inconvenient truth is that tactics like this mean that bad actors continue raising the bar for defenders in terms of accurately detecting and mitigating DDoS attacks.

Carpet bombing attacks are difficult for defenders to manage for multiple reasons. One is that by targeting a range of addresses there is often a smaller amount of traffic per target host. This can mean that some detection mechanisms do not fire because the amount of traffic reaching each individual target is typically below thresholds that trigger mitigation. When detection measures fail, that unfortunately makes an attacker’s job much simpler. Secondly, the systems that initiate a mitigation per target address can run out of resources if thousands of addresses are targeted. Third, diverting traffic for large numbers of hosts can mean that very large volumes of both attack and clean traffic are delivered to mitigation infrastructure, which could overwhelm it. And lastly, legitimate internet infrastructure, from one or more businesses or networks, is used to reflect traffic toward the target of the carpet-bombing attack. 

This technique, known as reflection-amplification, uses poorly secured or configured Internet infrastructure to amplify and obfuscate the true source of a DDoS attack. Taken in total, it has become even more challenging for security teams to defend against DDoS when faced with a carpet bombing attack, which means that new solutions are paramount to remediating these evolving threats. 

Stopping Carpet Bombing Attacks in Their Tracks

As resource constraints continue to impact network operators, increasing the value of scalable, end-to-end, automated analytics workflows and protections has never been more important. Currently, there are solutions that have multiple detection and visibility mechanisms that can identify carpet-bombing attacks ensuring customers are protected. Some of these solutions can identify attacks in as little as one second using fast-flood detection, and can automatically mitigate these compromises by identifying the IP ranges that are under attack. 

Additionally, scrutinizing large traffic volumes over time, contextualizing and refining data, and quickly acting on anomalies that threaten network availability has never been more necessary for defenders. Attack traffic volumes continue changing, and it is vital to ensure that network infrastructure isn’t overloaded. With modern adaptive DDoS defenses, security teams can automate mitigation that scales to hundreds of millions of packets per second.

Although carpet-bombing and reflection-amplification attacks are complex and difficult to manage, with new detection and visibility measures, IT departments can more easily manage these rapidly shifting threats to minimize damage across networks and outsmart attackers who have typically been able to evade traditional means of DDoS threat mitigation.

About the Author(s)

Gary Sockrider

Director of Security Solutions, NETSCOUT

Gary Sockrider is an industry veteran bringing more than 20 years of broad technology experience including routing and switching, wireless, mobility, collaboration and cloud but always with a focus on security. His previous roles include solutions architect, security SME, sales engineering, consultancy, product management, IT and customer support. Gary seeks to understand and convey the constantly evolving threat landscape, as well as the techniques and solutions that address the challenges they present. Before joining Netscout in 2012, he spent 12 years at Cisco Systems and held previous positions with Avaya and Cable & Wireless.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like