TCP carpet bombing
Spreads attack traffic across many IPs in a subnet instead of one victim IP. Tests whether defenses cover the full advertised prefix.
How it works
- Low rate per IP can aggregate to significant subnet load.
- Per-IP thresholds may never trigger while the network still saturates.
- Engarde carpet bombing uses invalid-flag SYN variant across a wide target surface.
Packet flow (illustrative)
Engarde node Target
βSYN β 203.0.113.10
βSYN β 203.0.113.11
βSYN β 203.0.113.12
ββ¦ /24 spread
Illustrative flow β not a live capture.
Pattern Wide IP spread
Engarde Carpet Bombing preset
Risk Threshold bypass
What to watch in Engarde
- Aggregate bandwidth on upstream router interfaces.
- Per-prefix alerting rather than single-IP only.
Running this simulation
Use Carpet Bombing preset only on authorized lab prefixes with Engarde operator coordination.
Mitigation perspective
Prefix-level detection, BGP Flowspec, and coordinated scrubbing policies.