A lesson in carpet bombing and sophisticated resource management

A lesson in carpet bombing and sophisticated resource management Sometimes attacks on the internet appear to be precision strikes Small groups with clear goals, focused on a single victim And sometimes an attack is more like a wildfire: random and unstoppable The attack we investigated this month falls into neither category It was a mixture of brute force, technical sophistication and a wealth of resources that left even seasoned security experts scratching their heads.  

Attack with seemingly unlimited resources

First impression: the attacker appeared to have unlimited resources at his command. Multiple targets were attacked simultaneously. The scale of the attack was reminiscent of classic “carpet bombing” tactics: a large-scale bombardment of all accessible targets Instead of exploiting individual vulnerabilities, the attacker relied on mass – massive traffic on dozens of endpoints simultaneously. 

From UDP to TCP – a strategic change

What was most striking about this attack was the targeted adaptation of tactics 

The attacker first launched a classic UDP-based DDoS attack. UDP (User Datagram Protocol) is popular with attackers because it can generate very high bandwidths in a resource-efficient and cost-effective manner. Without the need for complex handshakes or connection checks, large amounts of traffic can be generated quickly – perfect for massively overloading networks with relatively little effort. 

However, as the attack progressed, it became clear that this method had its limitations. Link11’s protection mechanisms were able to effectively block the UDP traffic. The attacker seems to have realized this and reacted flexibly: At the same time as the first peak in UDP volume was reached, the UDP traffic was drastically reduced, and massive TCP traffic was built up instead. 

TCP-based attacks are more complex and resource-intensive for both the attacker and the defender. Unlike UDP, TCP requires real session management (e.g., establishing and maintaining connections using a 3-way handshake), which significantly increases the load on network devices and protection infrastructures. While a UDP attack tends to follow the principle of “quantity over quality” (large amounts of junk data, cheap and fast to produce), a TCP attack means “targeted overload through complexity”. 

In the specific attack, it was observed that TCP traffic increased in parallel with a massive decrease in UDP traffic, reaching new peaks within a short period of time. Peaks of over 500 Gbps TCP and an additional 700 Gbps UDP made the attack a serious challenge even for robust infrastructures. 

An attack with an unusual signature

Another technical detail that makes this attack unique is that most of the packets were between 450 and 600 bytes in size. 

This size does not fit the typical pattern of either particularly small flooding attacks (a large number of small packets) or large fragmentation attacks (highly fragmented, very large packets). 

Why this size? This is not entirely clear. Two possible explanations 

• Optimization for efficiency: This packet size may have been optimized for the compromised devices – a kind of “benchmark” for the performance of the hijacked systems. These packet sizes can be processed and sent more quickly – ideal for weak IoT devices. 

• Bypass protection mechanisms: Many traditional defenses filter better with standard sizes. Large and small packets stand out, while medium-sized packets are less noticeable. 

In any case, the choice of packet size shows that this attack was professionally prepared on a technical level.  

A botnet with global dimensions

The geographic distribution of the attack was also impressive: The traffic was orchestrated globally – from Los Angeles to Frankfurt and Singapore to New York and London. Attacks were seen at virtually every connected point of presence (PoP) in the world, indicating a professional approach and a high level of control on the part of the attackers. It also suggests that a large, decentralized botnet of compromised endpoints was the basis for this attack. 

Another indication of the professional organization of the attack is the number of systems involved: over 41,000 unique IP addresses were counted in a 25-minute section alone. And that was just a small part of the entire attack campaign, which lasted several days. 

Organized crime at its best?

The attack does not appear to be the work of amateurs, but rather a professional, probably commercial infrastructure – possibly a DDoS stresser service where capacity can be purchased. 

The fact that the attacker tried different tactics and adapted his methods during the series of attacks – from changing the protocol to sophisticated control of packet sizes – suggests that expertise, resources and clear goals were at work. 

Conclusion

This attack was not only exceptional in terms of its size and international distribution. It also demonstrated a new quality: the ability to adapt tactics in real time, exploit vulnerabilities, and deploy a global botnet with high efficiency. 

For cyber defense, this means 

• DDoS protection must become more agile and intelligent. 
• Global monitoring and rapid analysis are essential. 
• Protection must be based not only on volume, but also on protocol behavior and anomalies. 

DDoS attacks are constantly evolving – as are the attackers’ tactics. Effective protection requires more than traditional defenses-it requires automated, adaptive, and AI-powered security technologies. 

Want to know how resilient your infrastructure really is?
Get a free and confidential advice from our experts.  

Contact us now >>

Share this post