Carpet Bomb DDoS Attacks: On the Rise and Evading Detection

This blog is part one of a three-part series on the rise of carpet bomb DDoS attacks.

There’s a new kind of DDoS attack in town, and it’s not messing around.

Our Threat Intelligence team reported in our 2023 DDoS Threat Intelligence Report a major increase in a certain kind of indiscriminate distributed denial of service attack. Known as a carpet bomb, spread spectrum, or spray attack, this DDoS technique distributes malicious attack traffic over a wide range of IP addresses.

Carpet bomb DDoS attacks were observed in 2020 and 2021 — even taking down a South African internet service provider for a full day in 2019 — but they were relatively uncommon. In 2022, though, our Threat Intelligence team reported 300% more attacks of this kind.

With carpet bomb DDoS attacks on the rise, companies need to know what to expect. Today, we’ll break down what the attacks involve, why they’re so difficult to defend, and what you can do to protect yourself.

What are carpet bomb DDoS attacks, and why are they a danger?

In short, carpet bomb attacks are a type of DDoS attack that distribute themselves across a large number of targets rather than a more easily identifiable single target.

Unlike traditional DDoS attacks, which generally focus on a single IP address, carpet bomb DDoS attacks have different traffic patterns. They result in large numbers of lower volume packet floods spread over multiple destination IP addresses. These IP addresses are all part of the victim’s network so that the small floods still add up to a significant volumetric attack and cause disruption.

Carpet bomb attacks are difficult to defend against, challenging standard per-IP detection, mitigation, and alert techniques. They pose a triple threat to their targets:

Evading detection by flying under the radar of legacy IP traffic analysis techniques or thresholds.
Invalidating the use of black hole or null route techniques, making it more difficult to avoid collateral damage.
Overloading scrubbing lane capacity, cloud service budgets, or reporting systems.

Below, we’ll cover the first threat in depth.

How carpet bomb DDoS attacks evade detection

DDoS attacks of all kinds can cause significant disruptions to a website or online service, resulting in extended downtime, slow response times, and other issues. The effects of an attack can linger, with longer-term damage to search engine rankings, user trust, and brand reputation.

But carpet bomb DDoS attacks pose a particular threat because they can fly under the radar in a way that traditional DDoS attacks can’t. Because the amount of traffic per IP address is so low, many legacy DDoS protection solutions don’t recognize that an attack is happening.

That’s because many DDoS detection mechanisms incorporate thresholds that define the amount of acceptable traffic to an individual destination IP address, and carpet bomb attacks fall below those thresholds. This also goes for the detection mechanisms of the intermediate provider networks that are unwittingly transporting the DDoS traffic to the victims.

By spreading a DDoS attack over tens or hundreds of destination IP addresses, cybercriminals can often evade or confuse legacy mitigation solutions. Even if traffic on a few of the destination IP addresses is noticed, most malicious traffic will get through.

What happens when DDoS attacks evade detection?

For a start, less intermediate detection and mitigation means that more DDoS traffic ultimately reaches its intended destination. This can cause significant disruptions to the targeted website or online service, including slow response times, timeouts, or complete system failure.

Downtime caused by DDoS attacks can also be quite expensive. Gartner had previously calculated that downtime can cost up to $5,600 per minute, and other estimates suggest that even small businesses may lose over $100,000 per hour. That’s not taking into account the lost revenue opportunities from lower search engine rankings, damaged brand reputation, and more.

Defending from carpet bomb DDoS attacks

Carpet bomb DDoS attacks are more challenging to protect against than organizations might think. For DDoS attacks targeting hosting providers, data centers, and other organizations whose core business is operating servers, carpet bombing can become nearly impossible to mitigate.

To limit or prevent the damage to these providers and other organizations, it’s essential to have a robust security strategy in place. Legacy detect-and-redirect solutions often won’t cut it.

Companies should consider DDoS protection solutions that take a holistic approach to detect modern DDoS attacks and provides automatic protection. If you’d like to learn more about our approach to defending against carpet bomb and other modern DDoS attacks, click here to book some time with one of our experts.