NSFOCUS Case Study on Protection Against Carpet-Bombing Attacks

NSFOCUS Case Study on Protection Against Carpet-Bombing Attacks

September 16, 2022 | Adeline Zhang

Introduction

According to the H1 2022 NSFOCUS Global DDoS Attack Landscape report released on 6 Sept 2022, DDoS attacks made a surprising 205% increase compared with the first half of 2021. When it comes to the carpet-bombing attacks prevalent in recent years, more than 100,000 IP addresses on hundreds of network segments were hit by carpet-bombing attacks every month.

Usually, carpet-bombing attacks are pretty challenging to be detected as the malicious traffic received by each IP address is too low to trigger protection in typical DDoS mitigation solutions. However, the accumulated malicious traffic may be volumetric and massively impact a victim’s network infrastructure.

In early June 2022, NSFOCUS discovered that a customer in Latin America using NSFOCUS Cloud DDoS Protection (DPS) service encountered a UDP carpet-bombing attack that lasted for an hour, with the peak attack traffic size reaching 112.3 Gbps. The attack traffic targeting each IP reaches 100 Mbps and covers more than 500 IP addresses distributed in two /24 IP segments owned by the customer.

After this carpet-bombing attack was identified, an emergency response was triggered immediately and fine-tuned policies were given by the NSFOCUS Managed Security Service (MSS) team. Finally, over 98 Gbps malicious traffic was filtered out and about 16 Gbps clean traffic was sent back to the customer’s original path.

Solution

1. The MSS team identifies a carpet-bombing attack;

2. Apply a relatively low UDP rate-limit threshold when the MSS team observes that attack traffic to each IP address lies at almost exactly 100 Mbps;

3. Create customized protection for the affected IP segments.

In this case, prompt and accurate identification of the attack is critical to give the response in time. Meanwhile, UDP flood protection algorithms on NSFOCUS Anti-DDoS System (ADS) also play an important role in mitigating the attack traffic. NSFOCUS Threat Intelligence also helps to identify and block malicious source IP addresses that are often controlled and used for carpet-bombing attacks.

How NSFOCUS helps

To defend against UDP carpet-bombing attacks, it is critical to establish visibility and fast detection at layer three and layer 4 with DPI and DFI technologies. NSFOCUS MagicFlow, an integrated network governance platform, can help you to know your security posture through comprehensive network-wide traffic analysis.

Subscription-based NSFOCUS Threat Intelligence service provides global cyber threat intelligence you need to prevent, mitigate and traceback an attack, and keep your organization safe from complex threats like carpet-bombing attacks and ransomware through the real-time information of malicious entities, IPs, and domains.

Contact us to learn more.