September 6, 2023

Detecting and Mitigating the increasing Threat of Bit-and-Piece Attacks, AKA Carpet Bombing Attacks


In Q3 2018, Nexusguard Research Team identified a sophisticated and stealthy Distributed Denial of Service (DDoS) attack method, known as a Bit-and-Piece attack, also commonly known as a Carpet Bombing attack. These attacks target Autonomous System Number (ASN)-level Communications Service Provider (CSP) networks by distributing small amounts of junk traffic across a vast range of IP addresses spanning hundreds of IP prefixes. Designed to evade detection, the convergence of polluted traffic towards the target IP prefix results in a massive traffic flow that can overwhelm conventional mitigation devices and lead to severe latency or complete deadlock.

As Bit-and-Piece attacks continue to increase in frequency, it's critical for organizations to understand their potential impact. In this article, we'll provide a comprehensive breakdown of what these attacks entail, why they're challenging to defend against, and actionable steps you can take to safeguard your network.


Fig 1 - Bit-and-piece attack interspersed with legitimate traffic
Figure 1 - Bit-and-piece attack interspersed with legitimate traffic 

What are Bit-and-Piece Attacks, and the Threats they Pose?

Bit-and-Piece attacks differ from traditional DDoS attacks in that they distribute traffic in a different manner. Rather than targeting a single IP address, these attacks distribute lower volume packet floods across multiple destination IP addresses within the victim's network. While each flood may be small, the cumulative effect can still result in a significant volumetric attack, causing major disruption to the network.

Defending against Bit-and-Piece attacks is a significant challenge for cybersecurity professionals, as these attacks can bypass traditional per-IP detection and mitigation systems, posing a number of threats to their targets. These threats include:

How Bit-and-Piece Attacks Evade Detection

DDoS attacks of all types can cause significant disruptions to websites and online services, leading to extended downtime, latency, slow response times, and other issues. However, a Bit-and-Piece attack poses a unique threat since it can easily go undetected by traditional DDoS protection solutions. These attacks involve very low volumes of traffic per IP address, making it challenging for many legacy detection systems to recognize the signs of an attack.

The primary reason for this is that most legacy detection systems rely on thresholds to determine acceptable traffic levels to an individual destination IP address. Bit-and-Piece attacks typically fall well below these thresholds, making it extremely difficult to detect them. This is also true for intermediate provider networks that may unwittingly transport DDoS traffic to the target.

Distributing a DDoS attack across multiple destination IP addresses enables perpetrators to evade or deceive legacy mitigation solutions. This is due to the fact that, even if traffic on a few IP addresses is identified, the majority of malicious traffic can still pass through undetected.


Defending Your Network Against Bit-and-Piece Attacks:
The Nexusguard Solution

Bit-and-Piece attacks are complex and can pose an especially daunting challenge for traditional threshold-based detection and mitigation solutions. To limit or prevent the impact caused by these attacks on their networks, organizations are advised to explore DDoS protection solutions that take a holistic approach, and employ a variety of detection mechanisms and intelligently orchestrate multiple methods of mitigation.

Nexusguard's Origin Protection is one such purpose-built solution for safeguarding large networks against complex L3/L4 attacks. Developed specifically for telcos and CSPs, Origin Protection enables organizations to leverage Nexusguard's globally distributed infrastructure as an off-site sandbox for traffic analysis, shaping, and attack mitigation.

Moreover, the multi-layered detection and mitigation engine of Origin Protection utilizes Network Behavior Analysis (NBA) to thoroughly analyze traffic data, detect anomalies, and alert the CSP to redirect traffic to Nexusguard's scrubbing cloud. As a result, only clean traffic is sent back to the origin server, ensuring maximum protection against potential threats.


Figure 2 - Nexusguard Origin Protection 

Benefits of Nexusguard Origin Protection

To gain a deeper understanding of how to counter the threat from Bit-and-Piece attacks, read about Nexusguard's Origin Protection, or click here to talk with one of our experts.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.