Use Case

Defending Against Carpet Bombing DDoS Attacks

Defending Against Carpet Bombing Attacks

Highlights

What are Carpet Bombing Attacks?

DDoS attacks usually come from many sources, targeting a single (or very small number) of destinations (the victim).

‘Carpet Bombing’ is a term used to describe DDoS attacks that target a range of addresses or subnets, which can contain hundreds or even thousands of destination IP addresses. Carpet bombing can impact a service provider’s ability to deliver service (either generally or to a specific customer). It can also be used to disguise the individual target, thus increasing the difficulty of mitigation.

The Challenge

Carpet bombing is not new, it has been around for years and has been used sporadically by attackers. Starting five years ago, these attacks targeted networks in Turkey, France, Italy and South Africa. These attacks are increasingly popular with threat actors and today they are commonly experienced by many service providers and large network operators in the USA and around the globe.

The addresses targeted during a Carpet Bombing attack are not always static and may change during the lifetime of an attack. These attacks are often combined with reflection-amplification techniques. Reflection amplification uses poorly secured or configured Internet infrastructure to amplify and obfuscate the true source of a DDoS attack.

Reflection amplification was behind most of the largest DDoS attacks seen on the Internet for nearly a decade. Many protocols can be used for reflection amplification, including DNS, NTP, SSDP, SNMP etc. Recently attackers have also used TCP based (SYN-ACK) reflection amplification which adds a stateful element to the attack impact (where firewalls, NAT, load-balancers are being targeted).

Combined with advanced reconnaissance of the online business relationships between targeted organizations, combining Carpet Bombing and Reflection Amplification tactics allows attackers to raise the bar for defenders in terms of accurately detecting, classifying, tracing back, and mitigating DDoS attacks.

The Risk

Carpet bombing attacks are harder to manage because:

  1. By targeting a range of addresses there is often a smaller amount of traffic per target host. This can mean that some detection mechanisms do not fire.
  2. Systems that initiate a mitigation per target address can run out of resources if thousands of addresses are targeted.
  3. Diverting traffic for large numbers of hosts can mean that very large volumes of attack / clean traffic are delivered to mitigation infrastructure. This can be overwhelming, especially for FlowSpec based mitigations.
  4. Often specific Internet infrastructure, from one or more businesses or networks, is used to reflect traffic towards the target of the carpet-bombing attack.

The Solution

Carpet bombing attacks are one of the most devastating distributed attacks bad actors can initiate since they target large ranges of IP addresses simultaneously, generating thousands of attack alerts that are impossible for SOC teams to manage. Scrutinizing large traffic volumes over time, contextualizing and refining this data, and quickly acting on anomalies that threaten network availability has never been more necessary. But resource constraints continue to impact network operators, increasing the value of scalable, end-to-end, automated analytics workflows and protections. 

Arbor Sightline has multiple detection mechanisms that can identify carpet-bombing attacks ensuring customers are protected. Arbor Sightline has features to track the prefixes involved in an attack so that only the relevant traffic is diverted to mitigation infrastructure.

Through Adaptive DDoS Protection, NETSCOUT has introduced a new way to understand DDoS traffic at the network level across all subnets to detect and report on carpet bombing attacks in one, easy-to-understand alert. Arbor Sightline's Machine Learning based Precise Protection Prefix technology automatically determines the specific IP ranges targeted by the attack. It then automatically redirects those to Arbor Threat Mitigation Systems (TMS) for mitigation, even as the attack moves around the network to different targets. This Adaptive DDoS Protection capability dramatically improves the detection and mitigation of carpet-bombing attacks.

Arbor Sightline can identify carpet-bombing DDoS attacks in as little as one second using fast-flood detection, and can automatically mitigate these attacks by identifying the IP ranges under attack and diverting only that traffic to Arbor TMS.

Arbor Sightline can add new targets automatically to existing mitigations, managing resources effectively. Arbor Sightline can automatically manage available Arbor TMS mitigation capacity by dynamically moving attacks among available Arbor TMS mitigation infrastructure, as attack traffic volumes change. These features make sure network infrastructure isn’t overloaded and cuts down the time operations staff spend managing DDoS attack response.

Carpet bombing defense capabilities include:

  • Automated mitigation that scales to hundreds of millions of packets per second
  • Tracking of attack targets so that (only) needed traffic is inspected
  • Analytics to identify attack sources for intelligent mitigation
  • Advanced DDoS Protection that constantly analyzes attack traffic and updates mitigations in real time and targeted addresses and methods change.

Summary

Although carpet bombing and reflection-amplification attacks are complex and difficult to manage, with Arbor Sightline's multitude of detection mechanisms and TMS based surgical mitigation you can identify these attacks and manage them to effectively protect your network and your customers.