In today’s digital landscape, the term “carpet bombing” not only refers to devastating bombings of the past, but also to an emerging threat. This threat is DDoS carpet bombing. Unlike conventional attacks, this method targets not just one, but several IP addresses simultaneously, defying traditional cyber defenses.
This article explores the resurgence of these attacks, highlighting their exponential nature and the challenges they impose on security structures. In addition, the text delves into the complexities of this type of attack, from detection to mitigation, pointing out gaps in traditional defenses that make carpet bombing an effective weapon for cybercriminals.
Understanding Carpet Bombing DDoS attacks
When the Second World War ended on September 2, 1945, the city of Dresden in Germany was destroyed. They considered the city to have suffered the most bombings – as if they had covered it with a carpet of explosives, given the number of bombs dropped on it. The term “carpet bombing” came from that era, which is now used in a very different but equally threatening context. It’s the name of a type of denial-of-service attack that hits not one or two IP addresses, but a variable number of them (and sometimes a large number), in random order and ranges.
A typical DDoS attack usually uses thousands of stealthily infected devices to overload the resources of an IP address with excessive requests. Enough so that the system (if unprotected) ends up crashing and becoming unavailable. Carpet bombing DDoS, on the other hand, makes thousands of requests to various addresses or subnets. This approach hits hundreds or even thousands of endpoints with malicious traffic. As a larger number of endpoints are attacked, the damage caused can be exponentially greater than in a normal DDoS attack.
Although this type of attack is not new, it is increasingly being used by criminals because it bypasses traditional defenses and causes the expected damage – or even more. Even telecom service providers can find it difficult to defend their customers from such attacks. They are capable of overloading scrubbing centers – the platforms that process and filter malicious traffic. Unable to accurately detect the targets of the attack, ordinary warning systems are unable to respond effectively.
Few suppliers solve this problem
Why is it difficult for companies to detect and mitigate this type of attack? Legacy flow reconnaissance devices such as firewalls, load balancers, IPS, IDS, etc. are usually unable to detect these stealth attacks on the network layer. Characteristics of carpet bombing attacks, which can become bottlenecks. To make matters worse, the attack packets are often fragmented. In addition, the IP addresses selected as targets change frequently during the attack. What’s more, the attacker can use a combination of reflection and flooding techniques. As if that weren’t enough, they often automate the vectors, changing them quickly in real time. And finally, in mitigation, blocking traffic with “black holes”, for example, is no longer effective or viable, because this solution will have the same effect as that planned by the attacker. The IP address will be incommunicado, no longer receiving any traffic, including legitimate traffic.
Protecting a client from a carpet bombing DDoS attack doesn’t just require structure, but a set of methodologies and tools. Companies that offer network and telecommunications services generally develop these resources internally, which are not publicly available. One of the keys to this defense lies precisely in defining what an attack is for a given set of hosts. Once this parameter has been set, various actions can be taken to protect the customer.
Huge Networks has the technology against carpet bombing attacks
This type of attack is not new and has begun to occur with some frequency in Brazil. Over the last 12 months, Huge Networks has protected a large number of customers – data centers, access providers, autonomous systems and networks in general – from DDoS carpet bombing attacks. However, here and in the rest of the world, their frequency has been growing year after year. In a study called “Cyber threats and trends report: defending against a new cybercrime economy”, the American company Neustar Security Services (now Vercara) noted that these attacks accounted for around 60% of all those recorded in its SOC in the second half of 2021.
Thus, massive DDoS carpet bombing attacks may seem like just another of cybercriminals’ new weapons, but this time they are a powerful weapon that needs to be taken very seriously, as they can effectively neutralize many existing DDoS defenses.
No denial-of-service attack happens by chance – least of all carpet bombing. They are carefully planned by cybercriminals to produce unwanted effects on the victim’s business. Such as a deterioration in service, customer irritation, a drop in the company’s reputation, loss of revenue and, after all that, loss of market share. Before or immediately after the incident, cybercriminals send the victim information that they must make one or more payments or the attacks will not be stopped.
Paying ransom: the cheap way out
Most of the victims are internet service providers in small towns in Brazil. Their networks are bombarded with requests, characterizing carpet bombing attacks, which degrade the service and damage customer traffic. In March 2023, criminals launched denial-of-service attacks against several ISPs in Rio de Janeiro and Rio Grande do Sul, demanding payment to suspend them. To protect traffic, you need to hire packet filtering services. Criminals ask for a lower ransom than these services – indicating that it is cheaper to pay the ransom than to hire a vendor to provide the solution.
But in this case, cheap is expensive: without the protection of a telecommunications service that masters carpet bombing mitigation technology, as Huge Networks does, the problem will soon return. And how long will it last? Nobody knows.