A carpet bombing attack is a volumetric attack vector, one of the evasive classes a thorough DDoS test is built to exercise. Instead of concentrating traffic on a single destination IP, it spreads the flood across many addresses in a target's subnet or CIDR block at once. No individual host crosses the per-IP threshold that triggers detection, but the aggregate saturates the upstream link or the edge router. Also called spread-spectrum or spray attacks, the technique is built specifically to slip under destination-based rate limits and per-IP mitigation triggers.
Why it matters in DDoS testing
Carpet bombing defeats defenses scoped to a single victim IP, so it exposes a gap that classic single-target tests miss entirely. A test characterizes whether detection aggregates traffic across an entire prefix rather than per host, how fast subnet-level or flow-based mitigation engages, and whether RTBH or scrubbing can be invoked at CIDR granularity without nulling legitimate hosts. This detection-scope problem is one of the trade-offs weighed in the AWS Shield vs Cloudflare DDoS comparison.