DDoS Carpet-Bombing – Coming In Fast And Brutal

In recent years, distributed denial of service (DDoS) attacks have become more frequent and sophisticated. Attackers continue to find new ways to flood target networks with massive-scale attacks that grow exponentially and use different attack techniques. Carpet-bombing is one of those destructive technics. It is a major concern for enterprises and service providers worldwide and DDoS vendors must handle this distributed and overwhelming attack technique.

The impact of DDoS carpet-bombing attacks can be devastating to an organization — they cause extended downtime to large parts of the network and inflict financial losses and reputational damage. That’s why it’s critical that organizations are prepared to detect and mitigate these vicious attacks with a state-of-the-art mitigation solution.

Understanding DDoS Carpet-Bombing Techniques

DDoS attacks are designed to overwhelm the target’s resources, making their services inaccessible to legitimate users. carpet-bombing takes the traditional DDoS attack to a whole new level by leveraging a vast botnet network to orchestrate simultaneous attacks on multiple targets. The sheer scale and complexity of this approach make it particularly challenging to defend against.

How Does DDoS Carpet-Bombing Work?

What makes the DDoS carpet-bombing a special attack vector is the fact it is targeting multiple targets at the same time, unlike conventional DDoS attacks that usually hit one, or several, targets to take down a service or application. Here are three elements that help identify a carpet-bombing attack.

1. Botnet Recruitment:

Attackers recruit a massive number of compromised devices, including computers, servers, routers and IoT devices, without the owners’ knowledge. These devices are then aggregated into a botnet.

2. Attack Execution:

Once the botnet is recruited, the attacker will most likely stand down and wait with the attack command because they assume that the target has a mitigation solution. The attacker will then send a scattered attack, as opposed to sending to individual destination IPs, to try and measure the configured thresholds; they’re looking for what can and cannot be breached. Ultimately, they’re looking for that sweet spot that is just below the configured rate threshold. Once this is found, the attacker will back off or maybe sustain it for a period of time (hours to days) to understand if they were spotted and blocklisted.

Now for the strike command. The attacker initiates the same volume of malicious traffic, this time bombarding the entire subnet(s) or CIDR/s (thousands of destination IPs) at the same time. By staying below the threshold, all attacked servers try to respond, which creates an overwhelming flood that will cause internal services, including the mitigation device, to suffer This flood of traffic overwhelms the target’s network infrastructure, rendering online services inaccessible.

3. Multi-Vector Approach:

DDoS carpet-bombing employs multiple attack vectors, including volumetric attacks (flooding the network with excessive traffic), application-layer attacks (targeting specific applications or services) and protocol attacks (exploiting vulnerabilities in networking protocols). This multifaceted approach maximizes the chances of success.

Consequences of DDoS Carpet-Bombing:

Protecting against carpet-bombing DDoS attacks is more difficult than protecting a focused attack, simply because most DDoS vendors mitigate against individual IPs and not subnets and networks. Therefore, the spotlight of detection and mitigation is on individual IPs rather than networks.

1. Service Disruption: Organizations targeted by DDoS carpet-bombing experience significant service disruptions, leading to financial losses, tarnished reputations and customer dissatisfaction. The unavailability of critical services can cause severe operational challenges.

2. Collateral Damage: Since DDoS carpet-bombing simultaneously targets multiple entities, collateral damage is a common occurrence. Even if a target manages to mitigate the attack, the sheer volume of malicious traffic affects the broader infrastructure, causing slowdowns or outages for other users and services.

Preventive Measures:

1. Proactive Network Monitoring: Data is power, and you’ll need a DDoS detector and mitigator that displays network monitoring in peacetime and capable of detecting abnormal traffic patterns and identifying potential DDoS attacks in real-time. Early detection enables rapid response. The next step is to have an automatic mitigation counteraction.

2. Scalable Bandwidth and Infrastructure: Organizations should ensure their network infrastructure can handle unexpected spikes in traffic. Investing in scalable bandwidth, load balancers and a strong detection and mitigation device which will handle the high-scale attack and ensure service availability.

3. DDoS Mitigation Services: Engaging with a reputable DDoS mitigation service provider is crucial. These services employ advanced traffic filtering techniques and have the expertise to handle large-scale attacks. A leading DDoS vendor solution should identify and block malicious traffic, ensuring legitimate requests reach their intended destinations. This keeps the attack traffic out.

Just recently, Radware Cloud Services successfully mitigated a very large carpet-bombing campaign that targeted several enterprises and service providers simultaneously. It was a global attack campaign that focused on TCP reflection of large subnets and CIDRs as the main attack vector.

The attack method used a large subnet/CIDR to reflect a flood of SYN-ACK packets at the target victims with a scale of over 300Gbps floods. The attacks were blocked immediately with several mitigation techniques. Non-protected organizations experienced slowdowns or downtimes.

Carpet-Bombing = collateral damage to non-protected organizations.


The threat of a DDoS carpet-bombing continues to grow in part because they stay below mitigation thresholds. These highly distributed attacks against large portions of the victim’s network, such as subnets/CIDRs, are highly devastating if they are not detected and mitigated.

Carpet-bombing attacks used by sophisticated hackers or hacktivism groups are a common attack vector that increases year over year.

Organizations, small to large, must take the necessary steps to protect themselves. By implementing an innovative detection mechanism, having a multi-layered approach protection and using a robust mitigation platform, organizations will be ready for the next carpet-bombing knocking on their roof.

For More Information

If you need to stay protected from carpet-bombing attacks, check out Radware’s latest DDoS mitigation solution HERE. Radware’s Defense Pro inline and cloud solutions perfectly address the requirements covered above. It is the most powerful and capable mitigation service on the market.

To learn why Radware was named a leader in DDoS mitigation by SPARK Matrix, you can read the complete analyst report HERE.

Itay Raviv

Itay Raviv is a product manager in Radware’s network security group. With a passion for staying ahead of the ever-evolving threat landscape, he has dedicated his career to developing and launching innovative security solutions that protect organizations of all sizes from cyber-attacks. Itay has been successful at delivering products that meet the needs of customers across all industries. He holds a B.Sc. degree in Computer Science. Prior to joining Radware, he managed IBM high-end storage systems for performance and interoperability. In his current role as Security Product Manager at Radware, he works closely with cross-functional teams to bring cutting-edge security products to market, keeping customers safe from DDoS attacks.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center