Carpet Bombing on Digital Infrastructures – Pragmatic Approaches in DDoS Protection and Data Protection
New attack types like Carpet Bombing require specialized protection of hosting & ISP IT landscapes, warns Michael Hempe from Link11 GmbH.
Hosting providers are often a target of cyber attacks, especially DDoS attacks. The very scope and size of their network infrastructure and customer base provide a huge attack surface. For example, 47% of all registered attacks in Q1 2021 targeted data center operators and hosting providers. In many cases, they were volume attacks on individual IP addresses. To defend against this threat, hosting providers have installed protection solutions that initiate attack mitigation based on predefined thresholds.
However, for several months now, more and more hosting providers have been facing DDoS attacks that slip below this baseline and are referred to as “carpet bombing” attacks. This form of attack is fundamentally not new, as the example of South African ISP Cool Ideas from 2019 shows. The ISP was hit with a large-scale Carpet-Bombing DDoS attack that caused a one-day outage. The sporadic use of this form of attack in previous years has turned into a very serious threat to the hosting and provider industry in 2021.
The characteristics of carpet-bombing attacks
Technically, carpet bombing is a very complex attack. The traffic per IP address is too small to be noticed as an anomaly. In addition, attackers don’t statically direct DDoS traffic to a specific system or server; rather, they change the targeted addresses under attack.
Technical details
- The IP addresses targeted by a carpet-bombing attack are not always static and can change during the duration of an attack.
- Not just one IP address is attacked, but an entire network block with several hundred or thousands of addresses.
- The attackers use reflection amplification techniques based on UDP such as DNS, CLDAP, and NTP but also TCP amplification.
- Each individual DDoS attack is very small and often amounts to only a few Mbps. Thus, it flies under the radar of most protection solutions and doesn’t stand out as an anomaly.
- However, in total, the attack bandwidth of the collective attacks is equivalent to a high-volume attack of up to 100 Gbps.
- The likelihood of a successful attack is further increased by flanking application and volume attacks.
Technological challenges to defense
Common protection solutions that only monitor data traffic individually for each target IP reach their limits when faced with this attack strategy. And using IT staff to analyze log files for hours on end won’t identify and stop the problem fast enough. Dropping all traffic, known as null routing or blackholing, is also no solution to the “clogged line” problem, as no traffic will reach customers. Similarly, in the face of high-volume attacks of several hundred Gbps, it’s not enough to install additional hardware. The appliances could quickly reach their capacity again due to the flood of requests.
To detect and mitigate these more complex attacks, solutions other than hard-defined threshold values per IP address or service are needed. These often consist of automation and artificial intelligence for analysis; only they can evaluate massive volumes of data in real time and detect deviations from normal behavior. Only then will many small attacks become visible as part of a larger overall attack and able to be mitigated together with the individual flood attacks.
Legal certainty in data processing for DDoS protection
In addition to the high technological requirements for defending against attacks, certain regulatory framework conditions specify that personal and personally identifiable data must not leave the EU area when data traffic is filtered. This often happens when DDoS protection solutions are used. Service providers often store log files on U.S. territory and use them within their Network Operation Center (NOC) for far-reaching optimization of their deployed systems or for better classification of the DDoS threat landscape.
In addition, the valuable metadata can also be incorporated into the work of centrally managed Security Operations Centers (SOC). These evaluate the metadata to identify threats and sharpen the relevant filters and protection mechanisms. Against the backdrop of the ECJ's June 2020 ruling on the end of the US Privacy Shield, hosting providers must therefore ask themselves exactly where their data is processed and stored. This aspect can also be implemented in pragmatic solution approaches. In contrast to DDoS protection solutions, where data outflow beyond the borders of the EU data protection area is possible, there are security solutions that rely on local data processing. European providers pursuing this route are subject to the data protection regulations of their home country and need self-operated filter clusters and networks at all locations to comply with the strict requirements of the GDPR and other national regulations.
Effective defense by security specialists
For a hosting provider whose core business is operating servers, it’s almost impossible to prevent a carpet-bombing attack. Doing so requires specific technology, an extensive protection infrastructure, and expertise. Recruiting specialized protection providers can therefore be an effective defense strategy. An important requirement during the evaluation of prospective providers should be their ability to process large amounts of network traffic in real time. In this regard, cloud-based DDoS protection solutions have proven their superiority over appliance-based protection solutions. The cloud-based approach is characterized by almost unlimited scalability and the ability to process today’s ever-increasing attack volumes. On the other hand, DDoS protection based on appliances installed in the provider’s backbone is typically limited by the external connection and threatens network availability in the event of overload.
With cloud-based protection, an external scrubbing center is installed in front of the hosting infrastructure. In this arrangement, multi-stage and permanent analysis of data traffic enables anomalies to be detected, put into context, and then mitigated. Key technologies for this setup are automation including machine learning/ML, which allows for a customer-specific traffic profile to be created and refined to efficiently classify malicious and non-malicious traffic. In this way, the company’s data center infrastructure and connected customers are reliably protected in the event of an attack.
The decision to go with a cloud-based solution also contributes to long-term protection against DDoS attacks, as daily defenses allow IT security experts to identify new threats early on and integrate them into the scope of the solution. This helps to differentiate a hosting provider from their competition. In addition, it enables hosting providers to attract as customers companies that were previously not a target group due to their high-risk classification for DDoS attacks .
With his many years of sales expertise and in-depth knowledge of IT security, Michael Hempe manages sales activities in the German-speaking countries at Link11. He’s responsible for driving the IT security provider’s revenue growth strategy and providing strategic and operational elements for the sales and partner programs in Germany, Austria, and Switzerland. In addition, he oversees the Enterprise Sales division. Before joining Link11, Hempe served as a senior account manager for major accounts at Arbor Networks. Prior to that, he held sales roles at Juniper and Akamai Technologies.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.