Junchen Pan (Tsinghua University), Lei Zhang (Zhongguancun Laboratory), Xiaoyong Si (Tencent Technology (Shenzhen)), Jie Zhang (Tsinghua University), Xinggong Zhang (Peking University), Yong Cui (Tsinghua University)
Carpet bombing attack, a growingly prevalent variant of Distributed Denial of Service (DDoS), floods multiple servers in the victim network simultaneously, minimizing per-flow malicious traffic throughput to evade detection. The aggregated malicious traffic overwhelms network access points (e.g., gateways), causing a denial of service. Moreover, advanced attackers employ application-layer attack methods to generate malicious traffic inconspicuous in both semantic and traffic volume, failing existing DDoS detection mechanisms. We propose NetRadar, a DDoS detector that achieves accurate and robust carpet bombing detection. Leveraging a server-gateway cooperation architecture, NetRadar aggregates both traffic and server-side features collected across the victim network and performs cross-server analysis to locate victim servers. To enable server-assisted carpet bombing detection, a general server-side feature set compatible with diverse services is introduced, alongside a robust model training method designed to handle runtime feature mismatch issues. Furthermore, an efficient cross-server inbound traffic analysis method is proposed to effectively exploit the similarity of carpet bombing traffic while reducing computational overhead. Evaluations on real-world and simulated datasets demonstrate that NetRadar achieves better detection performance than state-of-the-art solutions, achieving over 94% accuracy in all carpet bombing detection scenarios.