How Carpet Bomb Attacks Are Overloading DDoS Defenses

This blog is the final installment in a three-part series on the rise of carpet bomb DDoS attacks.

A new type of DDoS attack is rising to the surface, leaving a trail of overwhelmed defenses and disrupted networks in its wake. Rather than fixating on a single point of vulnerability, this attack vector is dispersing itself across a multitude of targets within each victims’ network. It’s what’s known as a carpet bomb DDoS attack, and it’s growing rapidly.

Unlike other DDoS attacks, a carpet bomb attack seeks to expand its target beyond the traditional single IP address of the victim, to a broader range of IP addresses that share the same network provider or data center as the victim. It’s a complex threat, and, as the Corero research team reveals in our 2023 DDoS Threat Intelligence Report, it had grown 300% over the course of 2022.

In our previous posts, we’ve discussed how carpet bomb attacks evade detection and neutralize mitigation techniques. Today, we’re diving into their third effect: overloading various elements of traditional DDoS mitigation solutions.

Carpet bomb DDoS attacks: the basics

First, let’s define the problem.

Carpet bomb DDoS attacks are a distinct category of distributed denial-of-service attacks that target multiple destinations rather than concentrating on a single, identifiable target. Unlike traditional DDoS methods, which focus on overwhelming a specific IP address, carpet bomb attacks distribute lower volume packet floods across multiple destination IP addresses. The IP addresses are carefully chosen to target the victim’s network and compound the impact of these smaller attacks.

The result? A significant volumetric assault that disrupts network infrastructure and leads to service unavailability.

The DDoS carpet bomb triple threat

Carpet bomb attacks can be challenging to defend against due to their distinctive characteristics. They pose a triple threat to their victims, complicating standard per-target-oriented detection, mitigation, and alert techniques.

First, carpet bomb attacks evade detection by flying under the radar of legacy monitoring solutions. By fragmenting their malicious traffic across a wide range of IP addresses, attackers can avoid triggering traditional detection mechanisms, making it difficult to identify and isolate the attack sources.

Second, carpet bomb attacks neutralize mitigation solutions that rely upon black hole or null route methods. These techniques, typically employed as a last resort in DDoS mitigation, involve diverting traffic to a black hole or a null route to prevent it from reaching the target. With carpet bomb attacks, these strategies are ineffective, since it’s impossible to determine which IP addresses to block without shutting down the entire network.

Lastly, carpet bomb attacks overload various systems, including scrubbing lanes, cloud infrastructure, and security monitoring tools. We’ll cover this threat in detail below.

How DDoS carpet bombing overloads protection systems

Carpet bomb attacks can overload a wide variety of DDoS defense systems, including on-demand scrubbing services and security monitoring tools. By launching simultaneous attacks against a large number of targets for each victim, attackers are able to overwhelm the resources of mitigation systems. These attacks strain scrubbing lanes’ capacity to process and filter out malicious traffic, exhaust cloud redirection budgets, and create confusion within alerting and reporting systems, preventing them from detecting and responding to attacks effectively.

When we think about the technique behind a carpet bomb attack, it’s easy to see how systems can become overloaded. Instead of having to process the legitimate traffic of a single victim IP, DDoS systems must simultaneously process and protect the legitimate traffic of hundreds or even thousands of IP addresses. This potential thousand-fold increase in the level of required context tracking can quickly cause the wash-out of legacy DDoS solutions.

Beyond that, DDoS systems that have been designed to redirect IP addresses to on-network scrubbing centers or cloud mitigation solutions are easily overwhelmed by carpet bomb attacks. If the attack is hitting the entire address space of a provider, these mitigation solutions will typically be overloaded, since they can’t be economically scaled for this level of traffic redirecting.

Finally, many DDoS protection solutions are oriented to single-IP attacks. If they even detect the attack in the first place, they end up interpreting DDoS carpet bombs as hundreds or thousands of individual attacks, leading to floods of reporting, crowded dashboards, confused summaries, alert storms, and general chaos.

What can we do about DDoS carpet bombing?

To effectively combat carpet bomb DDoS attacks, organizations need a robust security strategy that won’t be easily overloaded. Legacy detect-and-redirect solutions are quickly overwhelmed by carpet bombing and don’t offer sufficient protection. Instead, companies should opt for an always-on DDoS mitigation solution or service that recognizes carpet bomb attacks and delivers a fast and accurate response.

To learn about our DDoS protection platform, visit our solutions page or schedule a chat with an expert today.