September 14, 2021

Attackers continue to derive new attack patterns using the Bit-and-Piece, aka Carpet Bombing framework

Ever since their discovery in July 2018, bit-and-piece attacks have gone from strength to strength, and remain a real threat to Communications Service Providers (CSPs). Attackers are continuing to diversify their toolsets through the employment of a wide variety of attack vectors with bit-and-piece attacks to reach their goal of bringing down target networks and infrastructures.


Bit-and-piece attacks result from drip-feeding doses of junk traffic of negligible size into a large pool of IP addresses across hundreds of IP prefixes, which eventually saturates the target when the junk traffic starts to accumulate from different IPs, as illustrated in Figure 1.

bit-and-piece 202109-01

Fig 1 - Bit-and-piece attack with legitimate traffic


Early bit-and-piece attacks saw attackers employ amplification and UDP-based attacks to increase attack size and congest bandwidth.

In the second quarter of 2020, we observed that attackers opted for a more deceptive and stealthy approach, by utilizing a more elaborate practise of bit-and-piece attacks to launch a wider range of UDP-based attacks through the employment of a blend of attack vectors to flood target networks with traffic.


Key Observations

High Packet Rate Attacks

Observations based on our most recent attack analysis reveal that attackers are now hitting critical network devices (eg. routers) with large amounts of legitimate small-sized packets to generate high packet rates (increased volumes of packets per second - pps) to overwhelm network equipment. The maximum packets per second (pps) by IP Prefix /24 in 2021 has seen a substantial increase of 657% compared with 2020, as shown in Table 1. This tactic has been extremely effective given that when malicious traffic is concentrated on a single network device, it is much easier to exceed the maximum throughput and thus cause network outage, as illustrated in Figure 2. Furthermore, using relatively low traffic to penetrate networks increases the level of difficulty in filtering legitimate traffic from attack traffic.





Attack Size by IP Prefix /24










Attack Size by IP Prefix /24

(packets per second)










Table 1 - Bit-and-Piece Attack Size Summary between 2018 and 202

bit-and-piece 202109-02

Fig 2 - PPS attacks against critical network devices


Filterable and Non-Filterable Attack Vectors

We have observed that the continued advancement of bit-and-piece attacks has led to new attack patterns that leverage not only high packet per second (pps) or bit per second (bps) attack modes but also filterable and non-filterable attack vectors, that easily fly under the radar and effectively take down victim hosts as well as networks and infrastructures.



Bit-and-Piece Attacks





Exploited Weakness

Hijacking legitimate traffic

Hijacking legitimate traffic

Hijacking legitimate traffic

Attack Mode Dynamic

Bandwidth based attack (bps)

Bandwidth based attack (bps)

Bandwidth based attack (bps) and high packet rate attack (pps)

Possibility of Characterisation

Amplification attacks

UDP-based attack and Amplification attacks

TCP-based attacks, UDP-based attacks and Amplification attacks

Attack Vectors

Filterable: DNS amplification, SSDP amplification, CHARGEN amplification and NTP Amplification

Non-filterable: none

Filterable: DNS amplification, SSDP amplification, NTP amplification, CLDAP amplification, CHARGEN amplification, UDP attack

Non-filterable: none

Filterable: DNS amplification, SSDP amplification, NTP amplification, CLDAP amplification, CHARGEN amplification, UDP attack, MDNS amplification, ICMP, TCP SYN and TCP RST

Non-filterable: TCP ACK

Victim Type

Network and infrastructure

Network and infrastructure

Host, Network and Infrastructure


Table 2: Evolution of Bit-and-Piece Attacks


According to our findings, the 46-byte TCP ACK packet has become the most frequently used attack vector. 39.94% of bit-and-piece attacks utilize such packets, as shown in Table 3. The 46-byte TCP ACK packet is one of the smallest packets commonly seen on networks and is used in the TCP handshaking process, whether for TCP connection establishment or as a keepalive. Since these packets are seen as normal traffic, attack traffic hidden among such normal traffic is extremely difficult to detect, especially for signature-based detection methods.


Targeted ASNs: 84

Total No. of IP Prefixes (Class C) Under Attack: 1318


Attack Types

Targeted Geo-locations

TCP ACK Attack(39.94%)
UDP Fragmentation Attack(16.26%)
CLDAP Reflection Attack(11.93%)
NTP Amplification Attack(8.84%)
SSDP Amplifi1cation Attack(8.37%)
DNS Amplification Attack(6.23%)
UDP Attack(5.52%)
ICMP Attack(1.19%)
IP Fragmentation Attack(0.47%)
CHARGEN Attack(0.42%)
TCP SYN Attack(0.36%)
TCP Null Attack(0.30%)
TCP RST Attack(0.12%)
MDNS Amplification Attack(0.06%)


Austria, Bangladesh, Brazil, Chile, China, Czechia, Hong Kong, Seychelles, South Africa, Turkey, United Kingdom, United States


Table 3 - Summary of Bit-and-Piece Attacks


Recommendations to CSPs

Based on our recent attack analysis, we foresee that there will be a decrease in attack size with attackers opting to deploy non-filterable attack vectors to attack more IP prefixes. This will seriously undermine traditional threshold and signature-based detection methods, given that CSPs now need to detect smaller and more complex attack traffic patterns among large volumes of legitimate traffic.


While Nexusguard’s solution ensures that end-users are protected from DDoS attacks, the ongoing evolution of bit-and-piece attacks should alert CSPs to the importance and need to enhance their cyber resiliency, and employ more effective ways to protect their critical infrastructure and networks.  


Deploying big data and AI methods would be an effective solution for mitigating increasingly complex bit-and-piece attacks. Big data analysis and deep learning-based methods are extremely proficient in learning and analyzing network traffic patterns, overcoming the inefficiencies associated with threshold and signature-based detection methods. Owing to their speed and precision in scrutinizing large amounts of CSP traffic data, malicious attack patterns can be detected well before they can be exploited.


Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.