Webinar: What is a "Carpet-Bombing" DDoS Attack and How Can you Mitigate the Impact – Watch Now

DDoS attack traffic mitigation diagram

The Challenge of Carpet Bombing Attacks

Carpet Bombing DDoS attacks target many destination IP addresses at once. This creates several advantages for the attacker as well as challenges for the defender.

Firstly, the attacks are more difficult to detect because traditional DDoS protections focus on protecting specific hosts or customers and their IP address space. Because carpet bombing spread out the attack the resulting traffic tends to fall below thresholds for individual destinations that would trigger an alert. Also, the attack can starve resources upstream by attacking thousands of hosts that may not otherwise merit protection.

Secondly, carpet bombing created a challenge for defenders because it is difficult to mitigate attack traffic for so many destinations at once. Further, it can require significantly more mitigation capacity to inspect the traffic for all of the destinations being attacked simultaneously, instead of a single target.

Detect and Mitigate Automatically

Adaptive DDoS Protection (ADP) for TMS introduces a new type of DDoS alert: a Managed Object Misuse alert, designed to detect and mitigate Carpet Bombing DDoS attacks automatically.

This feature measures total DDoS misuse traffic for entire network, not just per-host, and includes Known Attacker Detection based on total traffic by misuse type. It detects the total volume of DDoS misuse traffic no matter how distributed among many destinations.

ADP analyzes attack destinations to determine specific subnets needing mitigation and redirect subnets to Arbor TMS. It continues to automatically update the mitigation in real time as attack targets change.

Why NETSCOUT is Better Than Other Solutions

Advanced DDoS Protection solutions for service providers detect DDoS attacks at any granularity, whether they target a single destination or many at once. The detection engine intelligently identifies specific subnets of the network under active attack and optimizes the mitigation automatically. ADP redirects only attack traffic for active targets at any given time. It uses Known Attacker Detection to detect smaller attacks faster and more accurately than other solutions. Block known, active sources of DDoS attack traffic (e.g. specific IP addresses, botnet hosts) based on real-time global ATLAS Threat Intelligence. Arbor TMS with ADP and ATLAS Intelligence Feed (AIF) fully and efficiently mitigates carpet bombing attacks!

Carpet Bombing Alert Threshold Assistant

Carpet Bombing Alert Threshold Assistant makes it easy to set up effective carpet bombing DDoS attack detection. It reports on traffic by misuse type across the network. It shows current settings compared to actual traffic and suggests new settings based on observed traffic that can be applied rapidly or automatically.

Customizable TMS Diversion

Customizable TMS diversion provides precision mitigations for optimum performance and efficiency. While redirecting large subnets can conflict with existing customer routes, Arbor Sightline automatically redirects the most specific subnets possible to divert carpet bombing DDoS attacks. The new diversion customization settings allow users to control both the minimum and maximum size of the announcements.

Integrated with Known Attacker DDoS Intelligence

Integration Known Attacker DDoS Intelligence drives Adaptive DDoS Protection based on industry leading global attack visibility. It includes current  DDoS attack sources such as active reflectors/amplifiers and abused open proxies. It also contains persistent attack sources like known DDoS botnet members and other sources including “Bulletproof” Hosters and Tor exit nodes.

Why Flowspec is Not an Effective Solution

A traditional DDoS flowspec response blocks only some carpet bombing attack vectors like certain types of reflection/amplification and initial IP fragments. Rate limiting could possibly be applied to non-initial fragments and UDP traffic. However,under attack these countermeasures can easily overwhelm resources on the routers and will still require the use of robust and precision mitigation solutions like Arbor Threat Mitigation Systems (TMS).

Automate Your Carpet Bombing DDoS Defenses

If you can’t monitor the entirety of your network, you could fall victim to a DDoS attack. To learn more, speak to our experts.