In recent years, distributed denial of service (DDoS) attacks have become more frequent and sophisticated. Bad actors continue to find new ways to flood target networks with massive-scale attacks that grow exponentially and use different attack techniques.

Carpet bombing is one of those destructive techniques that has become a major concern for enterprises and service providers worldwide, especially since it’s being used more frequently by sophisticated hacktivists.

The impact of DDoS carpet bombing attacks can be devastating for an organisation. They cause extended downtime to large parts of the network as well as inflict financial losses and reputational damage.

DDoS attacks are designed to overwhelm the target’s resources, making their services inaccessible to legitimate users. Carpet bombing, however, takes the traditional DDoS attack to a whole new level by leveraging a vast botnet network to orchestrate simultaneous attacks on multiple targets. The sheer scale and complexity of this approach make it particularly challenging to defend against.

Here are three elements of a carpet bombing attack.

1. Botnet recruitment: Attackers recruit a massive number of compromised devices, including computers, servers, routers and IoT devices, without the owners’ knowledge. These devices are then aggregated into a botnet.
2. Attack execution: Once the botnet is recruited, the attacker will most likely stand down and wait with the attack command because they assume that the target has a mitigation solution.

The attacker will then send a scattered attack, as opposed to sending to individual destination IPs, to try and measure the configured thresholds and look for what can and cannot be breached.

Ultimately, they are seeking a sweet spot just below the configured rate threshold. Once this is found, the attacker will back off or maybe sustain it for a period of time (hours to days) to understand if they were spotted and blocklisted.

Now for the strike command. The attacker initiates the same volume of malicious traffic, this time bombarding the entire subnet(s) or CIDR/s (thousands of destination IPs) at the same time.

By staying below the threshold, all attacked servers try to respond, which creates an overwhelming flood that will cause internal services, including the mitigation device, to suffer. This flood of traffic overwhelms the target’s network infrastructure, rendering online services inaccessible.

3. A multi-vector approach: DDoS carpet-bombing employs multiple attack vectors, including volumetric attacks (flooding the network with excessive traffic), application layer attacks (targeting specific applications or services) and protocol attacks (exploiting vulnerabilities in networking protocols). This multifaceted approach maximises the chances of success.

Protecting against carpet bombing DDoS attacks is more difficult than protecting against a focused attack simply because most DDoS vendors mitigate against individual IPs and not subnets and networks. The consequences of poor protection vary. 

Organisations targeted by DDoS carpet bombing can experience significant service disruptions, leading to financial losses, tarnished reputations and customer dissatisfaction. The unavailability of critical services can cause severe operational challenges.

Since DDoS carpet bombing simultaneously targets multiple entities, collateral damage is also a common occurrence. Even if a target manages to mitigate the attack, the sheer volume of malicious traffic can affect the broader infrastructure, causing slowdowns or outages for other users and services.

To protect against carpet-bombing attacks, organisations should follow several best practices. For starters, they will need a DDoS detector and mitigator that is capable of displaying network monitoring in peacetime as well as identifying abnormal traffic patterns and potential DDoS attacks in real time. Early detection enables rapid response. The next step is to have an automatic mitigation counteraction.

In addition, organisations should ensure their network infrastructure can handle unexpected spikes in traffic. It’s essential to invest in scalable bandwidth, load balancers and a strong detection and mitigation device that can handle the high-scale attack and ensure service availability.

Finally, organisations should engage with a reputable DDoS mitigation service provider. These services employ advanced traffic filtering techniques and have the expertise to handle large-scale attacks. A leading DDoS vendor solution should identify and block malicious traffic, ensuring legitimate requests reach their intended destinations. This keeps the attack traffic out.

Just recently, my company’s cloud services team successfully mitigated a very large carpet bombing campaign that targeted several enterprises and service providers simultaneously. It was a global attack campaign that focused on TCP reflection of large subnets and CIDRs as the main attack vector.

The attack method used a large subnet/CIDR to reflect a flood of SYN-ACK packets at the target victims with a scale of over 300Gbps floods. The attacks were blocked immediately with several mitigation techniques. Non-protected organisations experienced slowdowns or downtimes.

The threat of DDoS carpet-bombing continues to grow in part because attacks stay below mitigation thresholds. These highly distributed attacks against large portions of the victim’s network, such as subnets/CIDRs, are devastating if they are not detected and mitigated.

Organisations, small to large, must take the necessary steps to protect themselves. By implementing an innovative detection mechanism and a multi-layered approach to protection as well as using a robust mitigation platform, organisations will be ready for the next carpet-bombing campaign.