News of a South African ISP’s two-day outage sent the industry abuzz last month, highlighting the need for improved distributed denial-of-service (DDoS) attack mitigation. Through a carpet-bombing attack, unknown threat actors brought down Cool Idea’s network, which effectively cut its connection to other ISPs. The attackers sent junk traffic to connected IP addresses until the ISP’s border routers crashed.

Carpet-bombing attacks are believed to be gaining ubiquity due to the availability of cheap DDoS services. That means anyone can hire botnets to disrupt a target’s network operations. The prevalence of the Internet of Things (IoT) could also be a possible reason because most devices are insufficiently protected against hostile takeovers, turning them into bots.

The Anatomy of a Carpet-Bombing Attack

Carpet-bombing attacks work because the bad traffic ISPs receive is too low to be detected. DDoS mitigation solutions typically rely on a baseline to determine traffic anomalies. Carpet-bombing attacks can slide right below that baseline.

Carpet bombers exploit vulnerabilities in unpatched or misconfigured Domain Name System (DNS) and Connectionless Lightweight Directory Access Protocol (CLDAP) servers. Instead of redirecting traffic to a particular system or server, the attackers simultaneously attacked several randomly chosen systems to fly under the radar of DDoS mitigation solutions.

Why ISPs Are at Risk

ISPs are ripe targets for carpet bombers because most fail to address vulnerabilities in their systems. Some lack rudimentary DDoS mitigation solutions while others use likely outdated tools. As such, they are not only susceptible to carpet-bombing attacks but also age-old flooding attacks such as SYN floods. The following list recaps previous attacks seen against ISPs:

• Cambodian ISPs EZECOM, SINET, Telcotech, and Digi customers suffered intermittent connections for about a week in November 2018 due to a 150Gbps-strong DDoS attack.
• Even the world’s third-largest ISP OVH wasn’t immune to DDoS attacks, as it succumbed to a 1.1Tbps-strong attack in September 2016.

But does that mean that ISPs are helpless against carpet bombing? While blackholing may not be an option for mitigating such an attack, network engineers can employ other countermeasures.

Carpet-Bombing Attack Mitigation

As first aid to carpet bombing, ISPs can filter traffic from harmful source ports by removing them from their access control lists (ACLs). The attack traffic can also be rerouted to a DDoS defense system although this may require extra care. ISPs cannot throttle traffic, after all, as they are legally bound not to disrupt their customers’ connections.

Meanwhile, to prevent further attacks, ISPs may find it in their best interest to upgrade their DDoS systems. They should also implement tools that can precisely track and analyze traffic volumes between network borders regularly. While traffic volume patterns arising from amplification attacks are sketchy, these may still prove indispensable for analyses.

How Reliable Threat Intelligence Can Help

Advanced threat intelligence sources that collect data from WHOIS records, threat databases, and other feeds provide an extra layer of defense against carpet-bombing and other DDoS amplification attacks. These solutions aggregate and analyze data from a wide range of sources to provide security professionals contextual awareness for identifying attack origins. Using near-real-time threat intelligence allow high-impact targets like ISPs to:

• Correlate IP netblocks with IP blacklists to prevent malicious IP addresses from gaining access to their networks
• Sift through DNS and WHOIS databases to reveal ties between potentially malicious servers, hosts, IP addresses, domains, and websites
• Enrich security event detection and blocking using updated threat data

* * *

Even the best DDoS mitigation solutions have a blind spot. As such, it only makes sense for ISPs to enhance their tools with as much timely and reliable threat intelligence as possible. By preventing malicious entities from gaining access into their networks, ISPs can avoid becoming a victim of carpet-bombing attacks that can cause massive disruption to their operations.