This blog is the second installment in a three-part series on the rise of carpet bomb DDoS attacks.
In the ever-evolving world of cyberthreats, distributed denial of service (DDoS) attacks continue to be a major concern for businesses and service providers. They crash servers, make websites unavailable to customers, and even serve as a smokescreen for other malicious activities and attacks.
Among the various types of DDoS attacks, the DDoS carpet bomb attack (also known as a spread spectrum or a spray attack) has recently emerged as a major threat. Our 2023 DDoS Threat Intelligence Report shows that this technique is increasing at alarming rates, with no sign of slowing down.
In our recent blog post, we covered the first element of the carpet bomb triple threat: evading detection. Today, we dive into the second part: neutralizing mitigation. We’ll explore the rise in attacks, their impact, and the difficulties they pose for traditional mitigation techniques.
The rise of carpet bomb attacks
While carpet bomb DDoS attacks were relatively rare in 2020 and 2021, the Corero Threat Intelligence team has witnessed a significant surge in 2022. These attacks, also known as spread-spectrum or spray attacks, distribute traffic across a multitude of targets, within the victim’s network, instead of focusing on a single identifiable target. This approach challenges conventional per-target-oriented detection, mitigation, and alert techniques.
Understanding the triple threat
Carpet bomb attacks pose a triple threat to their victims, making them particularly difficult to defend against.
Evading detection: Carpet bomb attacks can fly under the radar of per-destination IP traffic analysis techniques or thresholds, making them difficult to detect and isolate. Attackers strategically avoid detection by dispersing their malicious traffic across a wide range of IP addresses.
Neutralizing traditional mitigation techniques: These attacks invalidate the practical use of blackhole or null route techniques, which are commonly employed as a last resort in DDoS mitigation. We’ll explain more about how this works below.
Overloading systems: By launching simultaneous attacks targeting large numbers of IP addresses, attackers create a chaotic environment. This overwhelms the resources of traditional DDoS mitigation systems, cloud-based mitigation services, and security monitoring tools. These carpet bomb attacks can overload scrubbing lanes, strain cloud redirection budgets, and confuse alerting and reporting systems.
What is null routing, and how does it mitigate DDoS attacks?
Traditionally, null routing or blackholing has been the go-to mitigation technique for DDoS attacks when all other options are exhausted. This technique is still widely used today by many providers or businesses to provide a basic defense against DDoS, or when they have no other options at their disposal.
Null routing involves redirecting traffic to a route-to-nowhere, effectively sacrificing all of the victim’s traffic — both malicious and legitimate — to protect the rest of the network. All traffic sent to the null route is dropped and never reaches its intended destination.
This technique does prevent collateral damage to the rest of the network and customer base, but it effectively completes the denial of service of the victim by also sending all their legitimate traffic to the blackhole.
How do carpet bomb attacks neutralize traditional mitigation tools?
Carpet bomb attacks negate the null route mitigation tool by targeting multiple IP addresses and making it impossible to identify a single victim IP address. These events create many proxy victims spread across the attacked IP space, with attackers researching all the IP addresses associated with the victim network to inflict damage with maximum chance of success.
If the service provider tries to blackhole all of the IP addresses under fire in a carpet bomb attack, they will end up sacrificing legitimate traffic not just to a single customer but to all customers within the targeted IP space.
The result? Service providers can no longer sacrifice a single victim’s traffic without disrupting the entire network infrastructure and effectively taking themselves offline.
Defending against DDoS carpet bomb attacks
To effectively defend against carpet bomb attacks, organizations and service providers must adopt strong DDoS protection technology and solutions. Here are a few recommendations:
Anomaly-based detection: Implement systems that use advanced anomaly detection to identify DDoS traffic patterns, such as carpet bomb attacks. Modern solutions that holistically analyze traffic beyond the traditional approaches of threshold-based monitoring and the like help in detecting anomalies more complex DDoS attacks.
Behavioral analysis: Solutions which include behavioral analysis techniques are much better positioned to identify malicious traffic patterns and accurately differentiate them from legitimate user traffic. By understanding the behavior compared to normal users and systems, security teams can more effectively identify, understand, and block malicious traffic.
Always-on protection: The ideal DDoS solution needs to work quickly, with low impact and low latency. It must provide always-on protection suited to a wide range of DDoS attack vectors, with awareness across entire IP address ranges, not just per-IP.
Conclusion
Carpet bomb DDoS attacks present a significant challenge to organizations and service providers, evading detection, neutralizing traditional mitigation techniques, and overloading systems. Understanding the nature of these attacks and implementing advanced protection strategies is crucial to staying safe. By adopting proactive security measures, organizations can effectively defend against the evolving landscape of DDoS threats, carpet bombs and all.
The Corero team is continually researching new DDoS attack types in order to offer more accurate, comprehensive mitigation and protection. To learn more about how we defend our customers from this and other advanced DDoS attacks, schedule some time to speak with one of our experts today.
