What is DDoS Carpet-Bombing?
DDoS carpet-bombing is an attack pattern where traffic is spread across a wide range of IP addresses within a target network, instead of focusing on a single host. The attacker typically targets an entire subnet or multiple adjacent subnets, sending moderate volumes of traffic to many addresses at once.
The goal is to overwhelm shared infrastructure such as routers, firewalls, or upstream links. Even if each individual IP receives only a small amount of traffic, the aggregate load can saturate bandwidth or exhaust stateful devices. This makes the attack effective against networks that rely on centralized filtering or rate limiting.
Carpet-bombing is often used to bypass traditional defenses that trigger on high traffic to a single endpoint. By distributing the load, the attack can remain under per-IP thresholds while still degrading service across the network.
Editor’s note: This article has been updated to include targets of DDoS carpet bombing, more detailed mitigation guidelines, and recent attack trends as of 2026.
Carpet-Bombing vs. Traditional DDoS
Traditional DDoS attacks concentrate traffic on a single IP address, domain, or service. This creates a clear hotspot that defenders can detect and mitigate using techniques like rate limiting, traffic scrubbing, or IP-based filtering. Mitigation tools are optimized for this pattern.
Carpet-bombing changes the problem by removing the hotspot. Traffic is spread thinly across many targets, which makes per-IP defenses less effective. Detection becomes harder because no single destination appears to be under heavy attack, even though the network as a whole is under stress.
Another key difference is the impact surface. Traditional attacks aim to take down a specific service, while carpet-bombing targets the network layer. It can disrupt multiple services at once by overwhelming shared resources, even if those services are individually well-protected.
How Does DDoS Carpet-Bombing Work?
What makes DDoS carpet-bombing a special attack vector is the fact it is targeting multiple targets at the same time, unlike conventional DDoS attacks that usually hit one, or several, targets to take down a service or application. Here are three elements that help identify a carpet-bombing attack.
1. Botnet Recruitment:
Attackers recruit a massive number of compromised devices, including computers, servers, routers and IoT devices, without the owners' knowledge. These devices are then aggregated into a botnet.
2. Attack Execution:
Once the botnet is recruited, the attacker will most likely stand down and wait with the attack command because they assume that the target has a mitigation solution. The attacker will then send a scattered attack, as opposed to sending to individual destination IPs, to try and measure the configured thresholds; they’re looking for what can and cannot be breached. Ultimately, they’re looking for that sweet spot that is just below the configured rate threshold. Once this is found, the attacker will back off or maybe sustain it for a period of time (hours to days) to understand if they were spotted and blocklisted.
Now for the strike command. The attacker initiates the same volume of malicious traffic, this time bombarding the entire subnet(s) or CIDR/s (thousands of destination IPs) at the same time. By staying below the threshold, all attacked servers try to respond, which creates an overwhelming flood that will cause internal services, including the mitigation device, to suffer This flood of traffic overwhelms the target's network infrastructure, rendering online services inaccessible.
3. Multi-Vector Approach:
DDoS carpet-bombing employs multiple attack vectors, including volumetric attacks (flooding the network with excessive traffic), application-layer attacks (targeting specific applications or services) and protocol attacks (exploiting vulnerabilities in networking protocols). This multifaceted approach maximizes the chances of success.
Consequences of DDoS Carpet-Bombing
Protecting against carpet-bombing DDoS attacks is more difficult than protecting a focused attack, simply because most DDoS vendors mitigate against individual IPs and not subnets and networks. Therefore, the spotlight of detection and mitigation is on individual IPs rather than networks.
1. Service Disruption: Organizations targeted by DDoS carpet-bombing experience significant service disruptions, leading to financial losses, tarnished reputations and customer dissatisfaction. The unavailability of critical services can cause severe operational challenges.
2. Collateral Damage: Since DDoS carpet-bombing simultaneously targets multiple entities, collateral damage is a common occurrence. Even if a target manages to mitigate the attack, the sheer volume of malicious traffic affects the broader infrastructure, causing slowdowns or outages for other users and services.
Common Targets of DDoS Carpet-Bombing
Frequents targets of carpet-bombing campaigns include:
Internet service providers (ISPs) and large enterprise networks: These environments use shared infrastructure to serve many customers or services. By spreading traffic across entire IP ranges, attackers can overload aggregation routers and upstream links, causing widespread disruption.
Cloud service providers and hosting platforms: Even though they have strong per-instance protections, their underlying network fabric can still be stressed. Carpet-bombing can impact multiple tenants at once, especially if they share the same virtual network or availability zone.
Content delivery networks (CDNs) and edge networks: While CDNs are designed to absorb large volumes of traffic, a distributed attack across many edge nodes or IP ranges can create uneven load and strain regional capacity.
Large attack surfaces: Organizations with large public IP ranges, such as financial institutions or SaaS providers, are particularly exposed. Attackers can target unused or low-traffic IPs within the range to bypass detection, while still consuming bandwidth and processing capacity across the network.
Critical infrastructure networks and telecom providers: These are high-value targets. Disrupting their network layer can impact downstream customers and dependent services, amplifying the overall effect of the attack.
Recent Trends in DDoS Carpet-Bombing
DDoS carpet-bombing is becoming more adaptive, harder to detect and more commonly combined with other DDoS methods. Instead of relying only on massive traffic spikes, attackers increasingly use “low-and-wide” traffic patterns that spread across many IPs while staying below per-IP detection thresholds:
Growth in subnet-wide attacks: Recent reports show that attackers are increasingly targeting entire network blocks rather than single IP addresses. FastNetMon notes that carpet-bombing is gaining traction because it is harder to detect and block, especially for ISPs and carriers that manage large IP ranges.
Low-volume traffic per IP: A key trend is the use of smaller traffic volumes against each individual destination. This helps attackers avoid defenses that trigger only when one IP receives unusually high traffic. Many recent attacks remained low in bandwidth, with nearly 73% falling between 0 and 0.5 Gbps.
More multi-vector campaigns: Carpet-bombing is increasingly combined with DNS amplification, TCP floods, UDP floods and other attack types. Several reports show the number of carpet-bombing attacks trending upwards, while attackers use multiple vectors to complicate detection and mitigation.
Pressure on service providers and shared infrastructure: The method is especially dangerous for ISPs, carriers, cloud networks and hosting providers because it stresses shared systems such as edge routers, firewalls and scrubbing centers. Telecom, service providers and carriers were among the most targeted sectors.
Sources:
Best Practices for Mitigating DDoS Carpet-Bombing
Here are some of the ways that organizations can shield themselves from DDoS carpet-bombing attacks.
1. Use Always-On or On-Demand DDoS Scrubbing
Route inbound traffic through a scrubbing provider that can analyze traffic at the network edge before it reaches your infrastructure. Always-on scrubbing removes the delay of traffic diversion, which is critical because carpet-bombing attacks often ramp up quickly across many IPs. On-demand scrubbing can still be effective if paired with fast detection and automated routing. However, delays of even a few minutes can allow the attack to saturate links or overwhelm stateful devices. Evaluate whether your risk profile justifies continuous protection. Ensure the provider supports prefix-level visibility and mitigation. The key requirement is the ability to correlate low-rate traffic across many IPs and apply controls at the network level, not just per destination.
2. Automate Detection and Traffic Diversion
Deploy flow telemetry such as NetFlow, sFlow, or IPFIX to build a real-time view of traffic distribution. Carpet-bombing often appears as a spike in the number of targeted IPs rather than a spike in volume to a single host. Detection logic should focus on patterns like uniform packet rates across a CIDR block, increased connection attempts across many destinations, or abnormal growth in flow counts. These signals are more reliable than simple bandwidth thresholds. Tie detection systems to automated response mechanisms. BGP FlowSpec can filter malicious patterns upstream, while RTBH can drop traffic to affected ranges when necessary. Automation reduces response time and limits human error during fast-moving events.
3. Tune Thresholds for Low-and-Wide Patterns
Move beyond per-IP thresholds and define limits at multiple aggregation levels, such as subnet, service, or region. Monitor metrics like total packets per second across a prefix, concurrent connections on shared devices, and SYN backlog growth. Establish baselines for normal traffic distribution. For example, how many IPs are typically active within a subnet, and how evenly traffic is distributed. Carpet-bombing deviates from these patterns by activating many low-traffic destinations at once. Use adaptive or dynamic thresholds where possible. Static thresholds are easy for attackers to probe and bypass, especially during the reconnaissance phase described earlier.
4. Maintain an Incident Response Playbook
Create a documented process that outlines roles, responsibilities, and technical steps during an attack. This should include detection validation, escalation paths, traffic diversion procedures, and communication with providers. Include pre-approved actions for different severity levels. For example, when to trigger full traffic scrubbing, when to apply subnet-level filtering, and when to temporarily sacrifice non-critical services to preserve core functionality. Regularly test the playbook with drills that simulate carpet-bombing conditions. Focus on timing, coordination, and the accuracy of detection signals. Post-incident reviews should feed back into improving both tooling and procedures.
5. Segment Critical Services
Design the network so that critical services are not concentrated within a single subnet or dependent on the same network path. Distribute workloads across multiple prefixes, availability zones, or even providers. Segmentation reduces the blast radius of a carpet-bombing attack. If one subnet becomes saturated, other segments can continue operating, preserving partial service availability. Combine segmentation with access controls and traffic shaping between segments. This prevents internal congestion from cascading across the entire environment when one area is under stress.
6. Review Provider SLAs and Mitigation Coverage
Assess whether your upstream providers and cloud platforms can handle distributed attacks at the subnet level. Many SLAs focus on uptime but do not clearly define DDoS detection and mitigation capabilities. Look for guarantees around detection speed, mitigation capacity, and response times for large-scale events. Confirm whether protections apply to entire IP ranges or only to individual endpoints. Request visibility into mitigation actions, such as logs, flow data, or dashboards. During a carpet-bombing attack, this data is essential for understanding what is being blocked, what is getting through, and whether additional actions are needed.
Conclusion
The threat of a DDoS carpet-bombing continues to grow in part because they stay below mitigation thresholds. These highly distributed attacks against large portions of the victim's network, such as subnets/CIDRs, are highly devastating if they are not detected and mitigated.
Carpet-bombing attacks used by sophisticated hackers or hacktivism groups are a common attack vector that increases year over year.
Organizations, small to large, must take the necessary steps to protect themselves. By implementing an innovative detection mechanism, having a multi-layered approach protection and using a robust mitigation platform, organizations will be ready for the next carpet-bombing knocking on their roof.
For More Information
To safeguard your infrastructure against carpet-bombing attacks, leverage Radware’s advanced DDoS mitigation solutions. DefensePro, combined with flexible inline and cloud deployments, directly addresses the challenges outlined above and provides powerful, enterprise-grade protection against large-scale, distributed threats.
To learn why Radware was named a leader in DDoS mitigation by SPARK Matrix, read the complete analyst report.