惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
V2EX - 技术
V2EX - 技术
P
Privacy & Cybersecurity Law Blog
T
The Exploit Database - CXSecurity.com
美团技术团队
WordPress大学
WordPress大学
博客园 - 司徒正美
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - Franky
Attack and Defense Labs
Attack and Defense Labs
Security Latest
Security Latest
L
LINUX DO - 最新话题
NISL@THU
NISL@THU
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
腾讯CDC
Y
Y Combinator Blog
The Hacker News
The Hacker News
Security Archives - TechRepublic
Security Archives - TechRepublic
IT之家
IT之家
T
Threatpost
Hugging Face - Blog
Hugging Face - Blog
Scott Helme
Scott Helme
S
SegmentFault 最新的问题
Cyberwarzone
Cyberwarzone
C
Cisco Blogs
阮一峰的网络日志
阮一峰的网络日志
U
Unit 42
B
Blog
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
小众软件
小众软件
V
Vulnerabilities – Threatpost
J
Java Code Geeks
V
Visual Studio Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
A
Arctic Wolf
博客园 - 【当耐特】
Microsoft Security Blog
Microsoft Security Blog
S
Security @ Cisco Blogs
雷峰网
雷峰网
Help Net Security
Help Net Security
The Last Watchdog
The Last Watchdog
Recent Announcements
Recent Announcements
G
Google Developers Blog
C
CERT Recently Published Vulnerability Notes
T
Troy Hunt's Blog
MyScale Blog
MyScale Blog

A10 Networks

Secure, High-Performance Networking Solutions | A10 Battling Bots, Fraud & AI Threats Summit | Retail IT & Cybersecurity What Is Healthcare Data Compliance? | A10 Networks Interop Best of Show Runner's Up - People's Choice | A10 Networks Interop Best of Show Runner's Up - Security for AI | A10 Networks What Is FIX Protocol Trading? | A10 Networks A10 Joins OpenAI's Trusted Access for Cyber Flexible Licensing for Multiple Clouds | A10 Networks A10 Acquires TrojAI to Advance Enterprise AI Security HFT Infrastructure: High Frequency Trading Explained | A10 Networks A10 Networks Acquires TrojAI Inc., Expanding AI Roadmap | A10 Networks What Is Low-latency Trading? | A10 Networks Multi-Vector DDoS: 11 Amplification Vectors | A10 Healthcare Cloud Compliance: HIPAA & GDPR Guide | A10 LLM Unbounded Consumption & DoS Attacks | OWASP LLM10 LLM Hallucination & Misinformation | OWASP LLM09:2025 Healthcare Network Protection for Hospitals & Clinics RAG Security: Vector & Embedding Weaknesses | OWASP LLM08 System Prompt Leakage | OWASP LLM07:2025 Explained LLM Excessive Agency | OWASP LLM06:2025 Explained LLM Supply Chain Security | OWASP LLM03:2025 Trust, Control and Security in the Age of Agentic AI Summit | A10 Networks LLM Improper Output Handling | OWASP LLM05:2025 Data Poisoning Attacks in LLMs | OWASP LLM04:2025 Sensitive Information Disclosure | OWASP LLM02:2025 Game Over for DDoS Attacks in Gaming | How to Achieve Resilience Prompt Injection | OWASP LLM01:2025 Explained Beyond PCI Summit: Battling Bots, Fraud, and AI-powered Threats Web Application Security Best Practices for 2026 | A10 Networks A10’s 5 Key Takeaways on Application & API Security Trends Securing Financial Applications in the AI Era Summit Unified Application Delivery, Security, and AI Protection for Financial Services The Most Famous DDoS Attacks in History Post-quantum Cryptography Comes to A10 SSL/TLS Data Plane Shadow AI | Glossary AI & LLM Security: Hype vs. Reality and What to Prioritize App Delivery in the Age of AI Summit | Hybrid & Cloud-Native Strategies A Day in the Life of a Stressed Web Application | ADC & WAF Resilience Avans University of Applied Sciences Modernizes Hybrid Application Delivery with A10 Networks Preparing Government Infrastructure for AI Adoption | Expert Summit Report: IDC Spotlight Report: Modernizing Application Delivery Infrastructure for AI-powered Applications Broken Object Level Authorization (BOLA): The #1 API Security Risk | Free Webinar | A10 Networks Product Demo: A10 AI Firewall by A10 Networks AI Firewall for Enterprise AI Security | A10 Networks API Traffic Management for AI and Agentic Systems | Expert Summit AI is Here: How Ready Is Your Infrastructure? | A10 Networks Pulse Campaign Analysis: Brazil ISPs Expose Next-Gen DDoS Automation Trends Tech Companies Lead GenAI Adoption but Face Infrastructure Gaps Cyber Defense Magazine's 2026 Global InfoSec award – Editor's Choice – API Security | A10 Networks Load Balancing Solutions for Availability & Security | A10 Networks Top 9 Generative AI Security Risks in 2026 LLM Security: Protecting AI Models & Applications
Real-time DDoS Carpet-bombing: NTP Amplification Evasion
Anidhya Pand · 2026-05-05 · via A10 Networks

DDoS Carpet-bombing Attack Unfolds in Real Time. Here’s What It Looked Like.

25 Ips, one subnet, 40 minutes, and your per-IP rate limiter didn’t see a thing

A Quiet Morning in South Asia

At 07:35 UTC on April 28, 2026, a regional ISP in South Asia started taking fire. Not the kind of fire that trips alarms. No single IP experienced a traffic spike dramatic enough to cross a typical per-IP detection threshold. But something far more deliberate was underway.

Over the next 40 minutes, we watched through A10 Defend Threat Control as attackers systematically walked through more than 25 distinct IP addresses within a single /24 subnet, hitting each one with high-complexity NTP amplification. A new target every 30 to 90 seconds. Each attack lasted anywhere from 21 seconds to nearly 8 minutes. Then the attacker moved on to the next address.

This is carpet-bombing and it is one of the most effective DDoS evasion techniques in use today.

What Carpet-bombing Looks Like in the Data

Here is a condensed view of the attack timeline, pulled directly from the A10 Defend Threat Control victim data. Every row is a separate attack event. Every IP belongs to the same /24 owned by the same regional broadband provider.

Time (UTC)Victim IP (Masked)DurationVector
07:35:17160.250.82.x (.45)21 secNTP – High
07:35:41160.250.82.x (.242)404 secNTP – High
07:36:16160.250.82.x (.115)57 secNTP – High
07:37:14160.250.82.x (.56)80 secNTP – High
07:38:36160.250.82.x (.207)54 secNTP – High
07:39:32160.250.82.x (.43)63 secNTP – High
07:40:40160.250.82.x (.232)37 secNTP – High
07:42:27160.250.82.x (.176)49 secNTP – High
07:43:20160.250.82.x (.141)354 secNTP – High
07:44:26160.250.82.x (.70)56 secNTP – High
07:45:25160.250.82.x (.215)77 secNTP – High
07:46:44160.250.82.x (.254)29 secNTP – High
07:47:15160.250.82.x (.229)67 secNTP – High
07:49:16160.250.82.x (.85)88 secNTP – High
07:50:51160.250.82.x (.117)37 secNTP – High
… (25+ IPs total)
08:01:14160.250.82.x (.131)479 secNTP – High

Figure: Condensed timeline of the carpet-bombing campaign. Full dataset available in A10 Defend Threat Control.

Notice the pattern. No single IP accumulates enough traffic to dominate a dashboard. The attacker distributes the pain across the entire subnet, ensuring that the aggregate bandwidth hitting the victim’s upstream link is enormous, even though each individual target looks only moderately busy.

Why This Matters More Than You Think

Carpet-bombing exploits a fundamental assumption baked into most DDoS detection systems: that attacks concentrate on a single destination. Traditional mitigation triggers on per-IP volumetric thresholds. When traffic to a single IP spikes, you scrub it. Simple.

But what happens when no single IP crosses the threshold? When the attacker instead sends 40 Gbps spread across 25 IPs, each absorbing just 1.6 Gbps. Individually, those flows might sit below your alerting baseline. Collectively, they saturate the upstream link and take the entire subnet offline.

This is not theoretical. In this campaign, the targeted ISP’s entire /24 was under sustained NTP amplification for 40 continuous minutes. The longest single-IP attack lasted nearly 8 minutes (479 seconds), but the campaign lasted far longer because the attacker simply rotated targets.

The Clues Were There—If You Knew Where to Look

What made this campaign visible in A10 Defend Threat Control was not any single attack event, but the correlation across events. The platform captures victim data across all observed attacks globally, which means patterns that span multiple IPs, subnets, and time windows become visible in a way they never would from a single vantage point.

When we queried the data for this /24, the carpet-bombing pattern jumped out immediately: same ASN, same attack vector, same complexity rating, tightly clustered timestamps, and sequential IP targeting. An analyst looking at any individual event would see a routine 60-second NTP hit. An analyst looking at the subnet-level pattern would see an orchestrated campaign.

That difference—between seeing one event and seeing the campaign—is the difference between reacting and anticipating.

“An analyst looking at one event sees a routine NTP hit. An analyst looking at the subnet sees an orchestrated campaign. That gap is where carpet-bombing lives.”

What Should Defenders Do?

  • Think in subnets, not just IPs. If your detection logic only evaluates per-destination thresholds, carpet-bombing will fly under the radar. Aggregate traffic analysis at the /24 or prefix level is essential.
  • Correlate across time windows. A 60-second NTP attack is unremarkable. Twenty-five of them against the same subnet in 40 minutes is a campaign. Your tooling needs to surface that pattern automatically.
  • Use external threat intelligence. The victim ISP in this case may not have had visibility into the broader pattern. They only see their own ingress. A platform like A10 Defend Threat Control provides the global vantage point that turns isolated alerts into actionable intelligence.
  • Assume NTP amplification isn’t going away. Every attack in this campaign used NTP reflection at high complexity. Open NTP servers continue to provide massive amplification, and attackers know it.

See it for Yourself

This carpet-bombing campaign is just one pattern we surfaced from over one million DDoS attacks observed by A10 Defend Threat Control in April 2026 alone. The platform lets you filter by attack type, victim country, ASN, industry, duration, and more, turning raw data into the kind of intelligence that keeps you ahead of the next campaign.

Explore the live data on the A10 Defend Threat Control dashboard or sign up for a 90-day free trial to see what attackers are doing right now.



Anidhya Pandita

|

May 4, 2026