How to detect and protect from carpet bombing attacks

Carpet bombing DDoS attacks are an increasingly common form of cybercrime because they are harder to detect and block than a traditional targeted attack. However, FastNetMon provides powerful configuration options to help you identify and defend your systems.

What is a carpet bomb DDoS attack?

A typical DDoS attack uses hundreds (or thousands) of compromised systems to overload the resources of a specific target. By generating enough network requests, an unprotected system will eventually crash, making it unavailable to legitimate traffic.

A carpet bomb DDoS attack is slightly different. Rather than attack a single endpoint, thousands of requests are directed at a range of addresses or subnets. This approach allows hackers to target hundreds, or even thousands, of endpoints with malicious traffic. Because more endpoints are attacked, the damage caused can be exponentially greater than a regular DDoS attack.

Carpet bomb attacks can be directed at a range of IP addresses belonging to a specific target, overloading a range of services. Alternatively, hackers may attack a broad range of addresses to overload multiple services simultaneously, obfuscating the intended target and making it harder to identify the perpetrator. The collateral damage and costs of these wide-scale attacks can also be exponentially greater.

Carpet bomb DDoS attacks can overwhelm scrubbing facilities used by enterprise-class organisations to process and filter malicious traffic. Where the scrubbing function is outsourced, cloud redirection budgets can be quickly exhausted, leaving the victim unprotected. Unable to accurately detect an attack, alerting and reporting systems cannot respond effectively.

Give me some examples of carpet bomb DDoS attacks

Because they fly ‘under the radar’, carpet bomb attacks are effective against even the most secure companies, like ISPs. Cool Ideas, one of South Africa’s largest ISPs, became the target of one such attack. Over the course of several days, hackers bombarded a range of IP addresses belonging to the ISP – including those used by their customers. Eventually the attack brought down Cool Idea’s connections to other ISPs, preventing any of their customers from accessing the internet.

The technique is so effective that back in 2019, hackers were able to take an entire country offline. Due to low uptake and investment, Liberia had just one undersea fibre connection to the rest of the world at that time. By attacking the country’s two ISPs, criminals were able to overload the connection, effectively cutting Liberia off. Just 6% of the Liberian population use the internet so the effects were relatively moderate – most analysts believe the attack was a proof-of-concept test to measure effectiveness. For the wider IT industry this incident proves the destructive capabilities of DDoS carpet bombing.

Why are carpet bombing attacks increasing in frequency?

Hackers are choosing carpet bomb DDoS attacks for several reasons:

  • Attacking a broad range of systems helps to obscure the intended target, ideal for more covert crimes
  • DDoS mitigation systems that operate on a per target address basis can themselves be overloaded if thousands of addresses are targeted
  • Hackers may combine reflection-amplification techniques to maximise their distributed reach and traffic directed at targets
  • By design, carpet bombing DDoS attacks can be quite difficult to detect and mitigate
  • Carpet bombing can be more effective – and damaging – than traditional DDoS attack methods

Why are DDoS carpet bombing attacks hard to defend against?

The main reason why carpet bomb DDoS attacks are so difficult to defend against is the actual design of the attack. By targeting a range of devices, the attack often uses a smaller amount of traffic per host. This reduced level of network traffic tends to be below the detection threshold configured in mitigation systems, meaning that defences are never triggered and that the targeted systems experience performance issues – or crash entirely. The methodology may be slightly different, but the effect of a carpet bombing DDoS attack on network devices is the same as any other DDoS attack. Even if some malicious traffic is detected and blocked by a traditional DDoS mitigation detection system, the majority will still reach its target.

The good news is that FastNetMon can be configured to detect and block distributed denial of service carpet bombing attacks.

Configuring FastNetMon to detect and block carpet bombing DDoS attacks

The key to mitigating carpet bombing attacks with FastNetMon is to properly configure per hostgroup thresholds. This will allow you to calculate total traffic for a number of prefixes and to take custom actions when it reaches a specified value.

You can read more about enabling hostgroup counters in FastNetMon in the developer documentation.

To further assist your security and network engineers, FastNetMon has also developed a Grafana dashboard for monitoring advanced hostgroups traffic, providing at a glance access to key metrics. 

To learn more about FastNetMon and how we can help you detect and mitigate DDoS carpet bombing attacks, please get in touch.

24/7 Tech Support

Email Us