Webinar: What is a "Carpet-Bombing" DDoS Attack and How Can you Mitigate the Impact – Watch Now
The Challenge of Carpet Bombing Attacks
Carpet Bombing DDoS attacks target many destination IP addresses at once. This creates several advantages for the attacker as well as challenges for the defender.
Firstly, the attacks are more difficult to detect because traditional DDoS protections focus on protecting specific hosts or customers and their IP address space. Because carpet bombing spread out the attack the resulting traffic tends to fall below thresholds for individual destinations that would trigger an alert. Also, the attack can starve resources upstream by attacking thousands of hosts that may not otherwise merit protection.
Secondly, carpet bombing created a challenge for defenders because it is difficult to mitigate attack traffic for so many destinations at once. Further, it can require significantly more mitigation capacity to inspect the traffic for all of the destinations being attacked simultaneously, instead of a single target.
Detect and Mitigate Automatically
Adaptive DDoS Protection (ADP) for TMS introduces a new type of DDoS alert: a Managed Object Misuse alert, designed to detect and mitigate Carpet Bombing DDoS attacks automatically.
This feature measures total DDoS misuse traffic for entire network, not just per-host, and includes Known Attacker Detection based on total traffic by misuse type. It detects the total volume of DDoS misuse traffic no matter how distributed among many destinations.
ADP analyzes attack destinations to determine specific subnets needing mitigation and redirect subnets to Arbor TMS. It continues to automatically update the mitigation in real time as attack targets change.
Why NETSCOUT is Better Than Other Solutions
Advanced DDoS Protection solutions for service providers detect DDoS attacks at any granularity, whether they target a single destination or many at once. The detection engine intelligently identifies specific subnets of the network under active attack and optimizes the mitigation automatically. ADP redirects only attack traffic for active targets at any given time. It uses Known Attacker Detection to detect smaller attacks faster and more accurately than other solutions. Block known, active sources of DDoS attack traffic (e.g. specific IP addresses, botnet hosts) based on real-time global ATLAS Threat Intelligence. Arbor TMS with ADP and ATLAS Intelligence Feed (AIF) fully and efficiently mitigates carpet bombing attacks!
Carpet Bombing Alert Threshold Assistant
Carpet Bombing Alert Threshold Assistant makes it easy to set up effective carpet bombing DDoS attack detection. It reports on traffic by misuse type across the network. It shows current settings compared to actual traffic and suggests new settings based on observed traffic that can be applied rapidly or automatically.
Customizable TMS Diversion
Customizable TMS diversion provides precision mitigations for optimum performance and efficiency. While redirecting large subnets can conflict with existing customer routes, Arbor Sightline automatically redirects the most specific subnets possible to divert carpet bombing DDoS attacks. The new diversion customization settings allow users to control both the minimum and maximum size of the announcements.
Integrated with Known Attacker DDoS Intelligence
Integration Known Attacker DDoS Intelligence drives Adaptive DDoS Protection based on industry leading global attack visibility. It includes current DDoS attack sources such as active reflectors/amplifiers and abused open proxies. It also contains persistent attack sources like known DDoS botnet members and other sources including “Bulletproof” Hosters and Tor exit nodes.
Why Flowspec is Not an Effective Solution
A traditional DDoS flowspec response blocks only some carpet bombing attack vectors like certain types of reflection/amplification and initial IP fragments. Rate limiting could possibly be applied to non-initial fragments and UDP traffic. However,under attack these countermeasures can easily overwhelm resources on the routers and will still require the use of robust and precision mitigation solutions like Arbor Threat Mitigation Systems (TMS).
Carpet Bombing DDoS Resources
Defending Against Carpet Bombing DDoS Attacks
Although carpet bombing is not new, attacks still happen every day. Learn how Arbor Sightline can protect your network and eliminate DDoS threats before they have a chance to harm your network.
Ask ASERT: What is the Best Mitigation Technique for Carpet Bomb DoS Attack?
Roman Lara, Principle Security Analyst at NETSCOUT, discusses the signatures of Carpet Bombing attacks as well as how bad-actors utilize the Carpet Bombing technique in attack scenarios.
Carpet-Bombing
Carpet-bombing (Spread Spectrum, Subnet DDoS) attacks take place when an adversary targets a range of addresses or subnets simultaneously to saturate networks with garbage traffic while also...
Ask ASERT: What is Carpet Bombing
Roman Lara, Principal Security Analyst on the ASERT team at NETSCOUT, discusses the underpinnings of Carpet Bombing #DDoSAttacks and why they are a serious threat.
NETSCOUT Defends Customers From Cyberattacks With Automated, Real-Time Traffic Analysis, Global Threat Intelligence, and ML-Based Mitigation
Adaptive DDoS Protection for Arbor TMS Dramatically Improves Dynamic Distributed Attack Detection Including Carpet Bombing
Why Are Carpet Bombing Attacks Difficult to Mitigate?
Although Carpet Bombing and Reflection Amplification attacks are complex and difficult to detect, by employing a multitude of detection mechanisms and orchestrating these mechanisms to work together, you can identify these attacks and manage them to mitigate the impact on your network and your customers.
Evolution of a New DDoS Technique
TCP SYN Carpet Bombing Deep Dive
Automate Your Carpet Bombing DDoS Defenses
If you can’t monitor the entirety of your network, you could fall victim to a DDoS attack. To learn more, speak to our experts.
Related Pages
Adaptive DDoS Mitigation for Service Providers
Arbor Sightline DDoS Attack Detection Solution
