Introduction

Beginning in 2016, NETSCOUT ASERT observed adversary's launching DDoS attacks towards entire CIDR blocks, rather than individual IP addresses. This phenomena is known as a Carpet-Bombing (Spread Spectrum, Subnet DDoS) DDoS attack. This targeting methodology was intended to make it more challenging for defenders to detect and classify incoming DDoS attacks, as some DDoS defense systems relied solely upon packets-per-second (pps) and/or bits-per-second (bps) thresholds set for specific hosts to detect inbound DDoS attack traffic. By spreading out the attack traffic across one or more larger subnets or supernets, attackers hoped to avoid triggering DDoS attack alerts, complicating the ability of defenders to understand that they were under attack and making it more difficult for them to mitigate these attacks, as well as to obfuscate the intended target of their attacks. Almost all carpet-bombing DDoS attacks observed to date use well-known reflection/amplification DDoS attack vectors such as DNS, NTP, and TCP reflection/amplification.  

TCP reflection/amplification carpet-bombing attacks have been used to target wireless and wireline broadband access networks, as defenders lacking advanced DDoS defense systems can find it difficult to differentiate the incoming attack traffic from legitimate responses to outbound Web browsing and other common user activities.  Initially, these attacks targeted a handful of countries, but rapidly expanded to the rest of the world.

Analysis

NETSCOUT’s ASERT team analyzes not only DDoS attack alerts from our ATLAS Visibility program to identify carpet-bombing DDoS attacks, but specifically-configured DDoS reflection/honeypots, as well, which provide us with detailed insight into attack dynamics. This visibility into worldwide carpet-bombing attacks allows us to make informed decisions about product features and enhancements to combat this technique. Further, we can use the data gathered to understand the characteristics of the attacks in detail as we’ll examine below.   

Carpet-Bombing Attack Size

The most common method adversary’s employ to take down targets involves sending the largest attack they have access to at a singular IP address of their choice. This has been the predominant choice for decades, resulting in most DDoS solutions solving that problem with host-based monitoring, but that is insufficient to detect and mitigate most carpet-bombing attacks. If an adversary were to launch a 100 Gbps attack against a single host, nearly every service provider in the world would likely detect and mitigate that traffic before it ever reached the target. However, if that same adversary decided to use the carpet-bombing technique, they could still launch a 100 Gbps attack, but target 1,000 hosts simultaneously. This would result in each host receiving 12.5 Mbps of traffic, avoiding almost all bandwidth thresholds in DDoS detection systems, but resulting in the same amount of traffic on the network. And while the specific host the adversary wanted to take down may not experience the entire flood of traffic, it’s possible, even likely, that the entire netblock experiences degradation or outages because of saturating entire CIDR blocks with DDoS attack traffic.

Carpet-Bombing Attack Duration

Most of these attacks are relatively short-lived. A whopping 90% of them last for one minute. Both the desire to avoid attack detection, as well as the economics of the DDoS-for-hire services used to launch them, likely contribute to the prevalence of short-duration attacks. Most booter/stresser services allow single host attacks at a reasonable price, sometimes free. However, there are not many that allow for simultaneous target IPs without paying a premium rate. Thus, many of the longer duration attacks are likely perpetrated by more sophisticated, persistent adversaries, rather than the opportunistic gamer attempting to kick their opponents offline. On the other spectrum of duration, we’ve seen an attack last as long as 24 hours. 

Carpet-Bombing Attack Frequency and Targeting

NETSCOUT’s reflection/amplification honeypots provide visibility into an average of 6000 carpet-bombing DDoS attacks every day. This translates into more than 400,000 carpet-bombing attacks since July 2023, a conservative number as we only considered non-TCP reflection/amplification carpet-bombing attacks in this analysis. In addition, our ATLAS system categorizes an average of about 740 high bandwidth carpet-bombing attacks every day (Figure 1). While this may seem small compared to our reflection/amplification honeypot observations, note that ATLAS analyzes alerts generated in service provider networks where a bandwidth threshold might only trip after a single host receives multiple Gbps of specific types of reflection/amplification DDoS attack traffic.     

On average, we see hundreds of hosts targeted during each carpet-bombing attack, but we’ve also seen as many as 8,000 IPv4 addresses targeted in a single attack.  We frequently observe carpet-bombing reflection/amplification attacks in the Tbps range on a global basis. Following conversations with customers and analysis of peer reports, ASERT arrived at a consensus: There was a substantial rise in carpet-bombing attacks throughout 2023, with observed increases ranging from 30% to 50% year over year.

Carpet-bombing DDoS attacks are a worldwide problem and affect many different countries, with some standout targets. In the last half of 2023 and into 2024, the United States, Brazil, Hong Kong, and China were most often on the receiving end of carpet-bombing attacks. (Figure 2 & 3)

Conclusion

Carpet-bombing DDoS attacks have brought about a paradigm shift in DDoS detection and mitigation. This attack targeting methodology spans the globe in targeting and runs the gamut of different vectors making them a very insidious threat that requires special care to eliminate as a threat. Latest innovations in NETSCOUT Sightline/TMS DDoS defense solutions enable service providers to apply new detection mechanisms to detect the increasing velocity of carpet-bombing attacks.  Always in-line solutions like AED provide real-time packet-level protection from these attacks. Carpet-bombing isn’t going anywhere, and we must ensure adequate protection is in place to handle these pipe-filling, distributed attacks.

 

Additional Contributors:

• Hardik Modi, AVP Engineering
• Roland Dobbins, Principal Engineer
• Chris Conrad, Senior Analyst
• Bill Cerveny