Not all attacks are spectacular. Some are rather inconspicuous, without reaching record levels of bandwidth or packet volume. This was the case with the following DDoS attack: At first glance, it seemed rather unspectacular, as the volume was around 3 million requests. Compared to large-scale DDoS campaigns, this is not an exceptional figure. Nevertheless, it is worth taking a closer look at the structure, as it shows how attackers try to disrupt web applications in a targeted manner, even with limited resources.
Conspicuous traffic pattern: slow increase, sudden peak
The traffic curve initially showed a slow, continuous increase in requests. This was followed by a single, clearly visible peak. In contrast to massive volumetric attacks, however, the total volume remained moderate.
Another characteristic feature was that the attack focused exclusively on the root domain, i.e., the website’s home page, and not on specific subdirectories or API endpoints. Such patterns are typical of simplified botnet activities, in which no targeted analysis of application points is performed, but rather generic requests are sent to the main endpoint.
Geographical restriction as a protective measure
In this case, the existing access restriction was a key factor: a rule was active for the affected domains that only allowed traffic from certain regions, such as the US and Europe. Requests from other countries were automatically blocked. However, a large part of the attack traffic originated from countries that were not on the whitelist, including China, India, and Turkey. These requests were immediately rejected.
Some of the traffic from approved countries (such as Germany) was blocked. The cause was not geofiltering, but other protective mechanisms such as rate limiting.
Rate limiting: protection against too many requests
Rate limiting is a common method of securing web applications. It specifies how many requests a client is allowed to make within a certain time window. If this threshold is exceeded by an IP address, further requests are temporarily blocked.
In this case, it became apparent that a large proportion of the approved German requests were rejected for precisely this reason. This indicates the IP addresses in question generated an unusually high number of requests in a short period of time, which is a typical pattern for automated bot requests.
We took IP as an example and this case was linked to the IP, but rate limit can be connected to any HTTP parameters, such as unique Header, Cookie or Argument.
Focus on GET requests
HTTP requests using the GET method were also blocked. This initially raises questions, as GET is the most commonly used HTTP method.
To understand why, it is worth taking a brief look at the basics of the HTTP protocol.
HTTP (Hypertext Transfer Protocol) defines various methods that clients (e.g., browsers) use to communicate with a web server. The most important ones include:
• GET: Retrieves information from the server.
• POST: Sends data to the server (e.g., form entries).
• PUT: Updates existing resources.
• DELETE: Deletes resources.
• HEAD: Requests header information only.
The GET method is used exclusively to obtain information from the server. From a technical perspective, a classic page view in a browser is a GET request. No data is changed or stored; only a resource is queried.
This is precisely why GET is generally considered “harmless”: a pure GET request cannot be used to change or directly inject data on the server. Injection attacks typically target parameters or other vulnerabilities, not the method itself.
Why GET is still blocked
It can be useful to block GET requests if an application does not need them. In specialized APIs or backend systems that only expect POST requests, blocking all GET requests can reduce the available attack surface. Such a filter was active here, meaning all GET requests were automatically discarded.
Learn more about an easy-to-implement and highly effective WAAP solution.
Everything from a single source, and available as a fully managed service upon request.
Since the observed attack worked exclusively with the GET method and only addressed the root domain, the traffic was completely intercepted. It was therefore a simple, mass use of the standard method to tie up server resources.
Small botnets, real impact
In contrast to large botnets, this was a small network with a small number of IP addresses involved. However, that does not mean that there is no risk.
Whether an attack is successful also depends on the target infrastructure. A resource-intensive web application or a poorly scaled server can be overloaded even by a moderate number of requests.
CPU and memory load increases rapidly, especially with many simultaneous connections or the generation of dynamic content. Such attacks target the application level and attempt to tie up server resources with many HTTP requests.
GET requests are commonplace, which is why they cannot be classified as malicious across the board. Only in combination with frequency, origin, and behavior patterns does a reliable picture emerge. The incident illustrates that it is not the size of the botnet, but the interaction between the attack strategy and the target architecture that determines the risk.
A small, cleanly structured attack can still be effective, especially if there are no protective mechanisms in place. In this case, though, the protective mechanisms worked exactly as intended.
Do you have any questions about this topic, or would you like information on how best to prepare for such attacks?
Contact our cybersecurity experts now >>
When an enterprise becomes the target of a Distributed Denial of Service (DDoS) attack, the first action is often to block malicious traffic as quickly and rigorously as possible. But what happens when the mitigation measures overshoot the mark and lock out the very people you actually want to serve?
When Protection Becomes an Obstacle: False Positives in DDoS Mitigation
In Cybersecurity a “false positive” describes a situation where a protection system mistakenly classifies perfectly legitimate, harmless traffic as a threat and rejects it. In DDoS mitigation, this can happen when a network experiences sudden but genuine traffic spikes, triggered by marketing campaigns, product launches, or seasonal events. A broadly configured defense system detects a rapid increase in requests, mistakes the wave of real customers for a malicious bot attack, and blocks them.
The paradoxical result: While the IT infrastructure may be protected, the service is offline for some of the target audience. False positives thus cause direct service interruptions, frustrate customers, and can lead to lost revenue and reputational damage.
The False Positive Dilemma of Traditional Protection Systems
Many traditional DDoS protection systems still use older methods such as fixed rules or basic rate limits. During fast-moving Layer 3 and Layer 4 attacks or sudden traffic spikes, these rigid methods quickly reach their limits. This dilemma places an enormous operational burden not only on end users but also on internal IT and security teams. For Security Operations Center and Network Operations Center teams, even single-user disruptions trigger time-consuming root-cause investigations. Teams spend hours identifying whether outages stem from attacks or false alarms.
This situation is further complicated by traditional black-box filtering systems that are not making it clear why traffic is blocked, failing to transparently and comprehensively explain to administrators why a specific connection was blocked in the first place.
Learn more about an easy-to-implement and highly effective WAAP solution.
Everything from a single source, and available as a fully managed service upon request.
The Path Forward: Intelligent, Behavioral Mitigation
To address this industry-wide problem, the focus of modern cybersecurity should increasingly be shifting to intelligent behavioral analysis, coupled with adaptive engines. Instead of broadly throttling traffic, such systems can analyze live traffic patterns using highly advanced behavioral detection and rely on granular per-protocol and per-port filtering.
This brings three decisive advantages of proactive, adaptive DDoS protection for modern network infrastructures:
- Adaptive learning reduces the need for manual tuning: An auto-learning mitigation engine adapts to your network’s normal behavior in real time. As a result, false alarms that cause unnecessary downtime are drastically reduced. The time-consuming, error-prone manual tuning of thresholds is completely eliminated, allowing the team to refocus on strategic tasks.
- Proactive, always-on defense built to give you confidence and control: Modern DDoS protection must stop attacks before they can affect network performance or service availability. A proactive, always-on defense detects malicious traffic early and mitigates it at the source, before it can disrupt legitimate traffic. This helps organizations maintain stable performance, continuous availability, and full control even during fast-moving attacks.
- Forensic-level visibility instead of a black box: When traffic is blocked, security teams need immediate clarity. A modern defense architecture replaces the “black box” with forensic-level visibility in real time. Using detailed real-time dashboards, reason codes, and live traffic logs, security teams are able to explain exactly and in an auditable manner on what basis a mitigation decision was made.
The New Era of DDoS Defense
In an era where uptime is synonymous with revenue and reputation, cybersecurity must not hinder business operations. With intelligent Network DDoS mitigation, enterprises no longer have to choose between maximum protection and an optimal user experience. Those who rely on behavioral, transparent, and granular mitigation mechanisms ensure that networks are not only protected from threats but also capable of keeping legitimate users online at all times.
You might also like:
Link11, a European specialist in IT security solutions, is delighted to announce the launch of the English-language version of its successful podcast, Follow the White Rabbit. As Jens-Philipp Jung, Link11’s CEO, emphasises, “In today’s interconnected world, cybersecurity is a global challenge that requires collective vigilance and action. By launching the English version of Follow the White Rabbit, we are breaking down language barriers to empower a wider audience with the knowledge they need to navigate the digital realm safely”.
Building on the success of the German-language series, the new English edition will provide international audiences with critical insights into cybersecurity and raise awareness of the ever-evolving digital threat landscape. Hosted by Kofi Osae-Attah, Link11’s Information Security Officer (ISO) and seasoned cybersecurity expert, the podcast features high-profile guests from a variety of industries. “Cybersecurity is a dynamic and ever-evolving field, and staying ahead of threats requires continuous learning and collaboration,” says Osae-Attah. Together, they explore the complexities of cyber threats, emerging technologies, and defensive strategies, ensuring that listeners stay informed and prepared in an increasingly digital world.
Cyberattacks are escalating at an alarming rate, threatening businesses, governments and individuals alike. With annual damages running into billions, the consequences – including identity theft, financial loss, operational disruption, data breaches and reputational damage – are profound. Follow the White Rabbit serves as a guide through the intricate world of IT security, exploring attacker strategies, advanced security concepts, and cutting-edge technologies. Each episode covers current threats, the role of artificial intelligence and machine learning in cyber warfare, and regulatory shifts that are reshaping the digital landscape.
The first two episodes of Follow the White Rabbit are now available on Apple Podcasts, Spotify, and at link11.com.
Not all DDoS attacks have the same objective. Some are designed simply to overload, while others are intended to conceal something more nefarious. A massive increase in requests immediately raises red flags in every SOC. However, when millions of requests flood the infrastructure in a short period, standard diagnosis often falls short.
At first glance, the case seems clear: a classic DDoS attack designed to cripple availability. But beware of the obvious. A recent analysis of two attack scenarios clearly shows how different the motivation behind seemingly similar traffic can be, and why understanding this distinction is crucial to security strategy.
While one attack merely makes “noise,” the other uses this noise to cover far more dangerous operations.
Case 1: Classic DDoS Attack
In the first scenario, the login area was bombarded with approximately 16 million requests. Several thousand IP addresses primarily targeted the root domain.
From a technical perspective, this was a “clean” attack, albeit one involving a massive volume of traffic.
The forensic indicators were clear:
- Pure traffic overload to exhaust resources.
- DDoS signatures that triggered immediate rate limits.
- No evidence of SQL injection or cross-site scripting (XSS) attempts.
Such attacks are loud and highly visible. They are designed to tie up or completely overwhelm backend resources. Without upstream protection mechanisms, a botnet of this size can push critical applications to their limits and cause massive outages.
Learn more about an easy-to-implement and highly effective WAAP solution.
Everything from a single source, and available as a fully managed service upon request.
This is the “classic” DDoS dynamic. With a modern WAAP (Web Application and API Protection) platform, however, the effect is limited. IP addresses are automatically blocked, rate limits are precisely applied, and the attack fizzles out as filtered background noise.
Case 2: DDoS as a Smokescreen
The second scenario was technically similar but strategically far more insidious. In this case, two domains, including a popular booking platform, were targeted simultaneously. With a volume of 14 to 40 million requests, the intensity was higher than in the first case.
Further analysis of the web application firewall (WAF) revealed an additional dangerous pattern: targeted signatures for SQL injections and cross-site scripting (XSS).
Excerpt from the WAF Analysis:
This pattern suggests a “smokescreen” attack. The logic behind it is as simple as it is dangerous.
- The noise: A massive DDoS attack creates operational chaos, floods monitoring systems with alarms, and inflates log files enormously.
- The camouflage: In the slipstream of this noise, attackers attempt to quietly and precisely place exploits, hoping they will be lost in the mass of error messages.
In this case, though, the attackers failed due to their own miscalculation. They used the same IP addresses for the volumetric DDoS attack and the infiltration attempts. These addresses were already blocked by the DDoS protection rules before the SQL or XSS attempts could be made.
This approach was not technically sophisticated; a more experienced actor would have used separate infrastructures and IP pools. Nevertheless, the intention was clear. This is precisely where the crucial difference from a pure volume attack lies. While case 1 focused on disruption, case 2 aimed to compromise the system. This is a risk that comes with solutions focusing solely on security and lacking intelligence.
The strategic difference
In the second case, if the company had only used isolated DDoS protection without integrated WAF intelligence, the “smoke” would have been filtered out. However, the fine needle pricks of the SQL injections could have reached the backend systems.
The decisive factors were:
- Automated IP quarantine: An IP address that stands out due to DDoS patterns is immediately blocked globally.
- Cross-domain reputation: Knowledge of a malicious IP address on Domain A immediately protects Domain B.
- Holistic view: Security teams recognize the entire attack pattern, not just the “storm.”
Conclusion
Not every traffic peak is solely a capacity issue. In a hybrid threat landscape, a DDoS attack often serves as a distraction for other processes taking place. Focusing solely on bandwidth can cause you to overlook the actual risk. Today, resilience means more than just staying online: it also means decoding attacks in their entirety.
Would you like to learn how a modern WAAP architecture correlates DDoS and application attacks in real time and stops them fully automatically? Learn more about Link11’s holistic protection solutions now.
You might also like:
We have already established that WAAP is the logical answer to modern application architectures. But what does that mean in practice? Putting the more complex theory aside, WAAP is primarily about making security scalable and manageable.
Below, we present four key ways in which WAAP can help you regain control of your digital infrastructure.
The return of visibility
The first practical added value of WAAP becomes apparent where the classic Web Application Firewall (WAF) reaches its limits: at the attack surface itself. A conventional WAF checks individual requests against rigid rules. This is effective against known patterns, but is insufficient for distributed systems.
WAAP starts earlier and views web applications and APIs as a coherent system.
- Context view: For the first time, transparency is restored regarding which interfaces actually exist (keyword: shadow APIs).
- Behavioral analysis: WAAP recognizes what is “normal” within a specific application. For many organizations, this visibility alone is the most important step in moving from reactive systems to proactive design.
Learn more about an easy-to-implement and highly effective solution.
Everything from a single source and, if desired, as a fully managed service.
Infrastructure relief: Security without performance loss
Modern attacks are not only more sophisticated, but also “louder.” Bots, scrapers, and DDoS attacks at the application level generate an enormous load that often brings local gateways to their knees before a filter can intervene.
WAAP platforms are usually cloud-native and therefore act as a protective shield at the edge of the network. They handle computationally intensive tasks such as:
- TLS decryption
- Correlation of global signals
- Complex behavioral analysis are migrated to the provider’s scalable platform
For operators, this means less pressure on their own systems and an end to the compromise between maximum security and optimal performance.
- Advantage for administrators: Their servers only see “clean” traffic.
- Advantage for decision-makers: They don’t have to oversize their local infrastructure for traffic spikes or DDoS attacks, as the cloud absorbs this load.
Smarter decisions
The key difference lies in how WAAP decides to block or allow traffic. Instead of relying solely on blacklists, the platform combines various signals such as API structures, bot fingerprints, reputation data, and behavioral anomalies.
Traditional attacks exploit technical vulnerabilities, such as SQL injections. However, modern attackers often exploit the logic of the application itself; for example, by automatically trying out discount codes or making massive queries about stock levels.
WAAP solutions correlate signals over longer periods of time, helping to detect attacks. If a client makes an unusually high number of queries in a specific sequence, the system raises an alarm, even if each individual request appears “legal” on its own. A WAF that works on a selective basis cannot structurally provide this contextual protection.
The main difference lies in flexibility. A traditional WAF works with fixed rules that define what is permitted or suspicious. A WAAP platform supplements this approach with context and behavior analysis, enabling it to distinguish more flexibly between legitimate use and abuse. This reduces the effort required for manual readjustment and makes the overall protection more adaptable.
Securing the invisible weak point
The structural superiority of WAAP is particularly evident with APIs. They have clearly defined structures and logic that a simple HTTP filter cannot understand. WAAP can validate these schemas and stop deviations in real time. This is a level of protection that companies urgently need today, as APIs are increasingly becoming the primary target for data theft.
Scalability as a target
From an organizational perspective, WAAP helps reduce complexity. Instead of laboriously orchestrating individual solutions for WAF, Bot Protection, API Security, and DDoS defense, Web Application & API Protection (WAAP) bundles these functions into a common layer of protection.
The real added value of WAAP is therefore not just in blocking attacks. Rather, it is the transformation of application security into a model that can keep pace with the dynamics of APIs and automation. For organizations that want to scale their digital value creation, WAAP is therefore not just a nice-to-have add-on, but a necessary foundation.
You might also like:
In IT security, the following principle often applies: introduce a new tool for every new problem. As a result, many companies have developed a digital patchwork quilt over time. Endpoint protection here, firewalls there, identity management, DDoS protection, WAF, bot management, and API security—everything was purchased, configured, and operated individually.
On paper, this looks like seamless coverage. In operational reality, however, this “best-of-breed” approach often leads to a dangerous trap: hidden complexity. When security teams spend more time gathering information between isolated systems than addressing actual risks, the security model itself becomes the risk.
When tools get in the way
The fragmentation of the security landscape is not only an administrative nuisance, but also represents an operational burden. A Barracuda survey from 2025 shows that around two-thirds (65%) of organizations use too many security solutions, with more than half (53%) complaining about a lack of integration.
Correlation burnout: Teams lose valuable time because they have to manually link events from different tools. This turns a security incident into a tedious puzzle. Paradoxically, this multitude does not lead to greater protection, but to critical bottlenecks: 77% of respondents in the Barracuda survey report impeded detection and 78% report difficult threat mitigation.
Blind spots: The interfaces between products are often not adequately monitored. Attackers exploit precisely these gaps between the responsibilities of individual tools. A recent survey of more than 1,000 IT and security teams confirmed that the sheer volume of tools overwhelmed teams and increased the likelihood of errors due to unclear system responsibilities.
Alarm fatigue: A flood of uncoordinated alerts means that critical incidents get lost in the noise of false positives. The Heimdal State of MSP Agent Fatigue Report 2025 shows that more than half of MSPs experience daily or weekly alert fatigue.
Learn more about an easy-to-implement and highly effective solution.
Everything from a single source and, if desired, as a fully managed service.
The WAAP suite: An integrated protection compass instead of isolated solutions
This is where the idea of a WAAP (Web Application and API Protection) platform comes in. It is not just another application in the list, but a consolidation layer. Instead of treating web security, API protection, bot management, and DDoS defense as separate entities, such a solution bundles these functions under one roof. The result is a strategic triad:
1. Holistic approach instead of guesswork
A WAAP platform creates a common situational picture. Suspicious behavior is then no longer just an isolated log entry in a bot tool, but immediately becomes visible in the context of API abuse and unusual access patterns. This “single pane of glass” view enables faster and more informed decisions.
2. Consistency in policy enforcement
In a fragmented landscape, contradictions can arise between WAF rules and API security rules. An integrated platform enforces consistency: same identities, same risk signals, same enforcement points. This reduces errors and minimizes maintenance effort significantly.
3. Economic and personnel efficiency
Each individual tool incurs costs for licenses, training, and operation. A consolidated cloud platform reduces this overhead. Computationally intensive tasks such as TLS decryption and behavioral analysis are processed centrally at the network edge. This protects your own infrastructure and breaks down the knowledge silos that security teams already suffer from due to the shortage of skilled workers.
Strategic sovereignty instead of technical tool hopping
For decision-makers, choosing a protection suite primarily comes down to controllability. A landscape of isolated solutions that has grown over time is difficult to audit and cleanly embed in governance structures. A WAAP platform, on the other hand, provides a central anchor point for policies, reporting, and the prioritization of business risks.
Reduced complexity is a security factor
Integrated protection is not about “fewer features,” but about more control. A WAAP solution reduces the burden on infrastructure, provides a basis for decision-making, and enables teams to manage more risks with less effort.
In an increasingly hybrid and networked IT world, reducing complexity is not a technological luxury, but a business necessity. Anyone who understands applications and APIs for what they are today—namely, the heart of digital business—needs a protection model that can keep pace with this reality.
How much consolidation potential is there in your current security architecture? An integrated WAAP solution can reduce your operating costs and increase your level of protection.
You might also like:
Web applications are the backbone of modern businesses. They serve as sales platforms, customer interfaces, and process engines. There is no question that this infrastructure must be protected.
But in an IT landscape that is rapidly evolving toward APIs and microservices, one thing remains constant: standing still means risk. In light of this, is the classic protection approach still sufficient?
WAF: A model for a bygone web world
For years, the Web Application Firewall (WAF) was considered the gold standard for protecting enterprise applications from attacks from the internet. Its principle is simple: it checks HTTP requests, filters known attack patterns, and blocks classic attacks such as SQL injection or cross-site scripting. In a world where applications were used exclusively via browsers, this was a highly effective model.
But that world has changed. Today’s modern applications consist of a network of APIs, mobile clients, and automated integrations. Much of the data traffic no longer comes from humans, but from machines. This is where the classic WAF reaches its structural limits.
- Lack of context: For a WAF, APIs often appear to be “just another endpoint.”
- Masked abuse: Malicious bots or the misuse of business logic are often mistakenly interpreted as normal load.
- High overhead: The security model is becoming increasingly maintenance-intensive as it is based on increasingly complex rules and manual exceptions.
The question, therefore, is no longer whether you have a firewall, but whether it is intelligent enough to understand the context of modern data streams.
WAAP: Protection through understanding instead of just filtering
Web Application and API Protection (WAAP) is the answer to this development. It is not merely a replacement for WAF, but a new protection concept. The key difference lies in the holistic view of the attack surface.
Learn more about an easy-to-implement and highly effective solution. Everything from a single source and, if desired, as a fully managed service.
What makes WAAP different
WAAP is more than just a new acronym: it is a cloud-native security platform that significantly expands the protective shield. While a WAF only filters selectively, WAAP offers a holistic ecosystem.
- Specialized API security: WAAP solutions automatically detect APIs, validate schemas, and provide targeted protection against attacks that fly under the radar of traditional filters.
- Advanced bot management: Much of today’s traffic comes from bots. WAAP uses behavioral analysis to distinguish between useful search engine crawlers and malicious scraping or credential stuffing bots.
- DDoS protection at the application level: Since WAAP mostly operates in the cloud, massive waves of attacks can be intercepted before they even reach the local infrastructure.
- Offloading, scalability, and real-time upscaling: The computationally intensive analysis takes place in the provider’s cloud. This reduces the load on your own data center and enables dynamic scaling in real time (“real-time upscaling”) as traffic increases. This keeps latencies low and performance stable, even under load.
WAF vs. WAAP: A direct comparison
The strategic advantage
So why is WAAP “better” than an isolated WAF? It’s not because WAF is wrong, but because WAAP is its logical evolution. WAAP integrates the proven protection features of WAF and extends them with additional security, analysis, and protection mechanisms for modern web applications and APIs.
While WAF has long been the standard for application protection and is familiar to many, WAAP goes a crucial step further by combining WAF functionality and advanced protection measures in a single, integrated platform. WAAP is thus the next evolutionary step for WAF—more comprehensive, scalable, and better suited to the requirements of today’s dynamic infrastructures.
- WAF protects websites → WAAP protects applications and interfaces.
- WAF filters patterns → WAAP evaluates behavior.
- WAF scales through hardware/instances → WAAP scales as a platform.
When is the change necessary?
For small, purely browser-based applications, a classic WAF may suffice. However, for companies that rely on digital interfaces, WAAP is now the only option. WAAP takes the complexity out of security management and shifts the burden of inspection to where it can be handled most efficiently: at the network edge.
Would you like to learn how a WAAP solution can secure your specific web applications? Let’s analyze your current security architecture together.
You might also like:
Some DDoS attacks are loud. Others are large. And still others are one thing above all else: widespread. A recent incident in the Link11 network shows how effective so-called carpet bombing can be. Within just two minutes, not a single server but an entire “/20 network” with more than 4,000 IP addresses was attacked.
What at first glance appears to be a “normal” volumetric attack turns out, on closer inspection, to be a strategically thought-out approach.
What does a /20 network mean?
The term “/20” comes from CIDR notation and describes the size of an IP address range. An IPv4 address consists of 32 bits. If 20 bits are reserved for the network, 12 bits remain for individual hosts. This results in 4,096 IP addresses within this network.
So instead of targeting a single address, such as a web server, in this case the entire address space was attacked. Each of these 4,096 IP addresses received a portion of the attack traffic. This is precisely the core of carpet bombing: the load is distributed broadly across a network segment instead of escalating selectively.
500 gigabits per second – distributed across 4,000 targets
The attack reached a volume of around 500 Gbit/s and lasted only about two minutes. Technically, UDP traffic dominated. The global botnet spanned around 12,000 different IP addresses.
In purely mathematical terms, this means that each individual target IP address accounted for an average of around 100 Mbit/s. Taken on its own, this does not seem unusual. Many modern systems can process significantly more in the short term.
Learn more about a GDPR-compliant, cloudbased and patented DDoS Protection that delivers, what it promises.
But the decisive factor is the shared infrastructure. If these 4,000 addresses are backed by a shared uplink, a data center, or a provider network, the load adds up. Even if each individual address is only moderately loaded, the total capacity of the network connection can be completely exhausted.
The result is comparable to a blocked main water pipe: each individual house may consume only a small amount of water, but if the central supply line is blocked, the faucet remains dry everywhere.
Why carpet bombing is difficult to detect
Precisely because the traffic is distributed, it often appears inconspicuous when viewed in isolation. Individual customers or systems “only” detect increased traffic, but no clearly recognizable DDoS attack. The actual structure only becomes apparent when the entire network is viewed.
In this case, the distribution of packet sizes was also remarkable. The traffic consisted almost exclusively of very small and very large packets. There was hardly any typical dispersion, as is the case with legitimate applications. Fragmented packets occurred only to a limited extent. Such a binary distribution in terms of packet sizes strongly suggests automated traffic. For systems that rely on behavior and pattern analysis, this can be a clear indicator.
Global botnet structure
The sources of the attack were distributed worldwide. A significant proportion originated in China, with other large portions coming from North America, Europe, and other regions. At the network level, there was also a wide distribution across many autonomous systems.
This pattern points to an extensive botnet with a broad geographical reach. Such structures make attribution even more difficult, as the traffic is not limited to individual regions.
At the same time, the geopolitical context is striking. The attacked company is located in a region that has been at the center of international tensions for years. Internal evaluations show that this is not an isolated incident. Comparable attacks have occurred repeatedly at this customer’s site in recent months, some on a similar scale.
In this environment, DDoS attacks are no longer exclusively economically motivated. They serve as a political signal or as an instrument of hybrid warfare.
Two minutes are enough
The short duration of the attack is remarkable. Only a few minutes passed between the start and the end of the DDoS attack. Such “hit-and-run” attacks are not necessarily aimed at long-term overload. Rather, they can be aimed at testing resilience, probing protective mechanisms, or causing selective disruptions.
Their brevity does not make them any less relevant – on the contrary. Short, intense attacks in particular can challenge monitoring mechanisms that are designed for longer periods of time.
Area instead of focus
Carpet bombing illustrates a strategic shift in the field of DDoS attacks. Unlike traditional attacks, which target individual IP addresses or services directly, this method targets the network as a whole.
The load is distributed in such a way that, when viewed individually, it appears harmless, but when added together, it impairs critical infrastructure. Those who only monitor isolated endpoints may only recognize the symptoms, but not the underlying pattern.
The brief attack shows how an entire network segment can be put under pressure. Technically, it was not a record. But the structure makes it clear that modern DDoS strategies no longer rely on spectacular peak values but on intelligent distribution. And that is precisely where their real strength lies.
Take your DDoS resilience to the next level
Carpet bombing is just one of many attack methods that put pressure on modern infrastructures. Learn how Link11 detects and stops complex DDoS attacks in real time.
Link11, a European provider of cloud-based IT security solutions, was honored at the G2 Best Software Awards 2026, ranking 22nd in the Best German Software Companies category. As the world’s largest software marketplace, G2 reaches over 100 million buyers annually. The regular Best Software Awards recognize the world’s best software companies and products based on authentic and up-to-date reviews from real users.
The award at the “G2 Best Software Awards 2026” confirms Link11’s mission: to protect companies from increasingly complex cyber threats with highly effective and easily integrable security solutions. In addition, they should gain full control over their web and API infrastructures.
“This award is particularly valuable to us because it is based directly on feedback from our customers,” says Jens-Philipp Jung, CEO of Link11. “It confirms our commitment to developing security solutions that offer real added value and earn the trust of our customers. At the same time, the award underscores our strong position as a reliable partner for securing business-critical digital infrastructures.”
“As buyers increasingly use AI-powered research to find software solutions, recommendations must be backed by credible and reliable evidence,” says Godard Abel, co-founder and CEO of G2. “Our Best Software Awards are based on verified customer reviews and trusted data. They provide buyers with objective guidance and also form an important basis for AI-powered recommendations. We congratulate this year’s winners, including Link11. A place in these rankings represents demonstrable customer value and real impact.”
About the G2 Best Software Awards
The G2 Best Software Awards 2026 comprise dozens of rankings that evaluate software vendors and products using G2’s proprietary algorithm. These are based on verified user reviews and publicly available data on market presence. To be considered for the award, a software company or product must have received at least ten approved reviews in the 2025 calendar year. The results are based solely on reviews from this period.