






















25 Ips, one subnet, 40 minutes, and your per-IP rate limiter didn’t see a thing
At 07:35 UTC on April 28, 2026, a regional ISP in South Asia started taking fire. Not the kind of fire that trips alarms. No single IP experienced a traffic spike dramatic enough to cross a typical per-IP detection threshold. But something far more deliberate was underway.
Over the next 40 minutes, we watched through A10 Defend Threat Control as attackers systematically walked through more than 25 distinct IP addresses within a single /24 subnet, hitting each one with high-complexity NTP amplification. A new target every 30 to 90 seconds. Each attack lasted anywhere from 21 seconds to nearly 8 minutes. Then the attacker moved on to the next address.
This is carpet-bombing and it is one of the most effective DDoS evasion techniques in use today.
Here is a condensed view of the attack timeline, pulled directly from the A10 Defend Threat Control victim data. Every row is a separate attack event. Every IP belongs to the same /24 owned by the same regional broadband provider.
| Time (UTC) | Victim IP (Masked) | Duration | Vector |
|---|---|---|---|
| 07:35:17 | 160.250.82.x (.45) | 21 sec | NTP – High |
| 07:35:41 | 160.250.82.x (.242) | 404 sec | NTP – High |
| 07:36:16 | 160.250.82.x (.115) | 57 sec | NTP – High |
| 07:37:14 | 160.250.82.x (.56) | 80 sec | NTP – High |
| 07:38:36 | 160.250.82.x (.207) | 54 sec | NTP – High |
| 07:39:32 | 160.250.82.x (.43) | 63 sec | NTP – High |
| 07:40:40 | 160.250.82.x (.232) | 37 sec | NTP – High |
| 07:42:27 | 160.250.82.x (.176) | 49 sec | NTP – High |
| 07:43:20 | 160.250.82.x (.141) | 354 sec | NTP – High |
| 07:44:26 | 160.250.82.x (.70) | 56 sec | NTP – High |
| 07:45:25 | 160.250.82.x (.215) | 77 sec | NTP – High |
| 07:46:44 | 160.250.82.x (.254) | 29 sec | NTP – High |
| 07:47:15 | 160.250.82.x (.229) | 67 sec | NTP – High |
| 07:49:16 | 160.250.82.x (.85) | 88 sec | NTP – High |
| 07:50:51 | 160.250.82.x (.117) | 37 sec | NTP – High |
| … | … (25+ IPs total) | … | … |
| 08:01:14 | 160.250.82.x (.131) | 479 sec | NTP – High |
Figure: Condensed timeline of the carpet-bombing campaign. Full dataset available in A10 Defend Threat Control.
Notice the pattern. No single IP accumulates enough traffic to dominate a dashboard. The attacker distributes the pain across the entire subnet, ensuring that the aggregate bandwidth hitting the victim’s upstream link is enormous, even though each individual target looks only moderately busy.
Carpet-bombing exploits a fundamental assumption baked into most DDoS detection systems: that attacks concentrate on a single destination. Traditional mitigation triggers on per-IP volumetric thresholds. When traffic to a single IP spikes, you scrub it. Simple.
But what happens when no single IP crosses the threshold? When the attacker instead sends 40 Gbps spread across 25 IPs, each absorbing just 1.6 Gbps. Individually, those flows might sit below your alerting baseline. Collectively, they saturate the upstream link and take the entire subnet offline.
This is not theoretical. In this campaign, the targeted ISP’s entire /24 was under sustained NTP amplification for 40 continuous minutes. The longest single-IP attack lasted nearly 8 minutes (479 seconds), but the campaign lasted far longer because the attacker simply rotated targets.
What made this campaign visible in A10 Defend Threat Control was not any single attack event, but the correlation across events. The platform captures victim data across all observed attacks globally, which means patterns that span multiple IPs, subnets, and time windows become visible in a way they never would from a single vantage point.
When we queried the data for this /24, the carpet-bombing pattern jumped out immediately: same ASN, same attack vector, same complexity rating, tightly clustered timestamps, and sequential IP targeting. An analyst looking at any individual event would see a routine 60-second NTP hit. An analyst looking at the subnet-level pattern would see an orchestrated campaign.
That difference—between seeing one event and seeing the campaign—is the difference between reacting and anticipating.
“An analyst looking at one event sees a routine NTP hit. An analyst looking at the subnet sees an orchestrated campaign. That gap is where carpet-bombing lives.”
This carpet-bombing campaign is just one pattern we surfaced from over one million DDoS attacks observed by A10 Defend Threat Control in April 2026 alone. The platform lets you filter by attack type, victim country, ASN, industry, duration, and more, turning raw data into the kind of intelligence that keeps you ahead of the next campaign.
Explore the live data on the A10 Defend Threat Control dashboard or sign up for a 90-day free trial to see what attackers are doing right now.
|
May 4, 2026
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。