DDoS ATTACK HANDBOOK

Service Providers

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers
CONTENTS

Introduction3 IoT Botnet Attack  19

Fighting DDoS 4 LDAP Amplification Attack 20

Memcached Amplification Attack 6 CLDAP Reflection Attack  21

SYN Flood  7 CHARGEN Reflective Flood  22

HTTP/S Flood  8 SNMP Reflected Amplification Attack  23

TOS Flood  9 Tsunami SYN Flood  24

NTP Amplification  10

UDP Fragmentation  11

UDP Flood  12

Ping Flood  13

ACK Flood (or ACK-PUSH Flood)  14

DNS Flood  15

Amplified DNS Flood 16

RST/FIN Flood 17

SSDP Reflected Amplification Attack  18

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 02
INTRODUCTION
Denial of Service (DoS) and Distributed Denial of Another factor is the Quality of Experience (QoE) that
Service (DDoS) attacks have plagued commercial consumers expect from their CSP. Sluggish response
and enterprise networks since early 1970. In terms of time is not appreciated and downtime is not tolerated.
damage to network infrastructure, service continuity To assure service availability and performance, CSPs
and business reputation, DoS/DDoS attacks have must take measures to protect against DDoS attacks
racked up some of the most successful cyberattacks that are designed to overwhelm network resources
to date. and deny service to legitimate users.

Historically, Communication Service Providers This DDoS Attack Handbook outlines the most
(CSPs) assigned low risk to their chances of being common attacks and their implications for CSP network
attacked and avoided taking protective measures, assets and business. For every attack, real customer
assuming they could dodge the DDoS bullet. Today, success stories demonstrate how Allot’s DDoS
technological advances have made it easier to Protection solution, powered by Allot DDoS Secure,
launch flooding attacks and to increase the scope of is helping CSPs establish a highly effective first line of
damage. CSPs can no longer afford to take a reactive defense against cyber threats.
approach that assumes, ”If it hasn’t happened to my
network, it probably won’t. And if it does, I’ll handle it
then.” Deferred action is no longer a viable option.

One of the main factors driving CSPs to adopt a

DDoS Protection strategy is the rise in enterprises
who are migrating data centers and IT infrastructure
to the service provider cloud. Business services are
a growing source of CSP revenue. They are based
on SLAs defining service capacity, availability and
performance that the CSP promises to deliver. That
business needs to be protected from attack.

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 03
FIGHTING DDoS
WHAT IS A DDOS ATTACK? DETECTING AND MITIGATING STOPPING INBOUND AND OUTBOUND
TOMORROW’S ATTACKS THREATS
A Denial of Service (DoS) or Distributed Denial of
Service (DDoS) attack occurs when one or many Cybercriminals continually hone their methods While most DDoS Protection systems focus on
compromised (that is, infected) systems launch a and change their tactics, such that DDoS attacks inbound attacks, outbound DDoS that originates
flooding attack on one or more targets, in an attempt exceeding 100 Gbps are no longer uncommon. within the CSP network and attacks external targets
to overload their network resources and disrupt Often, there is no advanced warning or known can also exhaust network resources and impact QoE.
service or cause a complete service shutdown. signature for an attack, as cybercriminals leverage
the element of surprise to avoid detection and inflict Allot’s inline deployment protects equally against
NEUTRALIZING ATTACKS AS THEY OCCUR maximum damage before the CSP can figure out both inbound and outbound DDoS attacks.
what’s going on and respond. To protect service
Massive DDoS attacks can cause immediate service networks against today’s and tomorrow’s attacks, MULTILAYER DEFENSE STRATEGY WORKS
interruption. Effective protection must be able to service providers need a solution that can scale to BEST
detect the attack and act fast enough to thwart it, so match the ever-increasing volume and innovation of
there is little or no impact on the network and/or its these attacks. DDoS detection and mitigation solutions are a
hosted targets. Fast detection and mitigation is even first line of defense in stopping the attack and
more important when dealing with hit-and-run DDoS The patented Network Behavior Anomaly Detection assuring service availability. But what about quality
attacks that are designed to do maximum damage in (NBAD) technology inside Allot's DDoS Secure of experience? How can CSPs assure the delivery
just a few minutes and then disappear. enables CSPs to identify unknown (zero-day) attacks of critical applications at all times - even during an
which have never been seen before and mitigate attack. Or how can CSPs prevent individual users
Allot’s DDoS Protection solution, powered by Allot them in seconds. Allot's DDoS Secure runs on Allot’s who are generating abnormal volumes of traffic
DDoS Secure, detects and mitigates DDoS attacks multiservice platform, which provides scalable capacity (not an attack, per se) from eating up available
inline, on the spot, within seconds, leaving the CSP to detect and mitigate massive attacks coming in even bandwidth? With a multilayer approach and a
network and hosted targets unharmed. Allot’s inline at Terabits per second. Allot’s multiservice platform multiservice platform like Allot Service Gateway, CSPs
advantage and real-time detection makes the solution also provides granular policy management. This allows can combine proactive defense measures such as
highly effective even for fragmented DDoS attacks. CSPs to accurately block attack traffic and avoid false policy-based traffic shaping with the event-triggered
positives, and to trigger traffic shaping to assure user measures of DDoS mitigation.
Quality of Experience (QoE).

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 04
FIGHTING DDoS Allot Inbound DDoS Protection
1. Mitigate attacks in seconds
Eliminate congestion on costly transit links
ACCURATE VISIBILITY TO ASSESS
2. P
 rotect the perimeter
ATTACK IMPACT
Prevent overload on routers, rewalls, load balancers

Visibility is critical to effective DDoS Protection. 3. A

 ssure service availability
Visibility includes essential threat intelligence Legitimate traffic continues to flow
stats that facilitate root cause investigation to
find out: How big is the attack? What type is
it? Who is the attacker? What are the targets?.
Allot’s multiservice platform enables CSP Infected bots
Legitimate
analysis of network usage statistics together
with threat intelligence to obtain a more
Inbound DDoS
advanced assessment of DDoS attack impact Flooding attacks threaten
on the service provider’s business. service availability Attack

For example, how was subscriber and/ EXTERNAL EDGE CORE

or application QoE affected during the
DDoS attack? This information is even Legitimate
more important to CSP business customers
who range from private enterprises (such
as, finance, retail, and health) to public
organizations and government agencies. Attack

Infected loT devices

Allot Outbound Bot Containment
1. Guarantee QoE Outbound Bot
Prioritize delivery of critical apps during attack Traffic
Illegitimate bot traffic
2. Block botnet traffic
Only botnet traffic is blocked while legitimate traffic congesting the
behind NAT IP flows freely network

3. Isolate the bots

Isolate from the network and block attempts to spread
infection
MEMCACHED AMPLIFICATION ATTACK
WHAT IS A MEMCACHED ATTACK?

Memcached attacks are a type of User Datagram Protocol (UDP) reflected amplification
Attack pattern
attack which uses vulnerable memcached servers exposed on the Internet. The attacker first Attack pattern and matched traffic reported by Allot's
loads the memcached server database. It then sends requests over UDP, using a forged IP DDoS Secure management console
address (the target's), to thousands of memcached servers which are open on the Internet.
The servers respond by sending many UDP packets coming from source port 11211 to the
target. The potency of the attacks is due to memcached servers amplifying the target's
spoofed requests by a factor of 50,000.

In February 2018, before publication of the record-breaking memcached attack, Allot’s bi-
directional, inline DDoS Secure solution successfully detected and prevented such attacks
observed in multiple customer networks worldwide. Below is an example:

Attacker Service Provider Potential Risks

The CSPs’ customers will experience protracted service
interruption due to extreme network congestion
IP Spoofed caused by the bombardment of critical services
Requests with voluminous memcached responses, potentially
exceeding tens of terabits per second.

Legitimate UDP Servers

Responses

Learn how Allot helped a

Victim European service provider
stop memcached attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 06
SYN FLOOD
WHAT IS A SYN FLOOD?

A SYN Flood, often generated by botnets, is the target system with SYN messages requesting to
Attack pattern
designed to consume resources of the victim initiate a connection between the source system Attack pattern and matched traffic reported by Allot's
server, such as firewall or other perimeter and the target system. The target responds with DDoS Secure management console
defense elements, in an attempt to overwhelm a SYN-ACK message for each SYN message it
its capacity limits and bring it down. The target receives and temporarily opens a communications
receives SYN packets at very high rates which port for the requested connection while it waits for
rapidly fill up its connection state table, resulting a final ACK message from the source in response
in disconnections, dropping of legitimate traffic to each SYN-ACK message. The attacker never
packets, or even worse – element reboot. sends the final ACK and therefore the connection
is never completed. The temporary connection will
SYN Floods exploit the TCP (Transmission Control eventually time out and be closed, but not before
Protocol) three-way handshake process to wreak the target system is overwhelmed with incomplete
havoc. The attack floods multiple TCP ports on connections accumulated in its state table.

Spoofed SYN Requests Service Provider Potential Risks

Legitimate
Users Once the SYN Flood succeeds in taking down perimeter
SYN-ACK
defense elements, consumer and enterprise customers
as well as the CSP’s own services remain unprotected
and exposed to security threats until the attack is
neutralized and systems are restored.

Attacker Botnets Target Server

STEP 1 STEP 2 STEP 3 Learn how Allot helps a Tier-1

Attacker sends many
SYN requests
Victim server sends
SYN/ACK but attacker
Server state table
overloads and legitimate
service provider in North
does not reply users are not served America fight SYN Flood attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 07
HTTP/S FLOOD
WHAT IS A HTTP/S FLOOD ATTACK?

HTTP (and its encrypted form HTTPS) is a The devices are coordinated to send multiple GET
transport protocol for browser-based Internet requests for image files or some other asset from
requests, commonly used to load webpages the target web server. The flood of HTTP requests
or to send form content over the Internet. In depletes the server resources until denial of service
an HTTP/S flood attack the attacker exploits occurs for requests coming from legitimate users.
seemingly-legitimate HTTP GET or POST An HTTP flood can also be launched by sending
requests to attack a web service or application. multiple POST requests which will trigger intensive
These attacks often utilize many botnets such as processing on the server and will saturate server
infected IoT devices. resources even more quickly.

Service Provider Potential Risks

CSP web services become overwhelmed and innocent
customers will become service-denied.
HTTP GET / index.php

HTTP GET / index.php

HTTP GET / index.php

Attacker Botnets HTTP GET / index.php Web Server Learn how Allot
helped stop HTTP/S
Flood Attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 08
TOS FLOOD
WHAT IS A TOS FLOOD?

In a TOS (Type of Service) Flood, attackers forge the ‘TOS’ field of the IP packet header,
Attack pattern
which is used for Explicit Congestion Notification (ECN) and Differentiated Services (DiffServ) Attack pattern and matched traffic reported by Allot
flags. There are two known types of TOS attack scenarios. In the first, the attacker spoofs ServiceProtector management console
the ECN flag, which reduces the throughput of individual connections thereby Allot's DDoS
Secure causing a server to appear out of service or non-responsive. In the second, the
attacker utilizes the DiffServ class flags in the TOS field to increase the priority of attack
traffic over legitimate traffic in order to intensify the impact of the DDoS attack.

Spoofed TOS
Service Provider Potential Risks
CSPs will see their services slow down or become
non-responsive due to reduced connection throughput
caused by the TOS forging. Applications like VoIP, that
Attacker require fast response time, will suffer dropped calls and
Attacker bad QoE due to attack traffic receiving higher DiffServ
priority than legitimate VoIP traffic.

User tries to connect Learn how Allot helps a

Legitimate Users
to server but fails
Tier-1 Operator in LATAM
fight TOS Flood attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 09
NTP AMPLIFICATION
WHAT IS NTP AMPLIFICATION?

In an NTP (Network Time Protocol) amplification,

Attack pattern
an attacker uses a spoofed IP address of the victim’s Attack pattern and matched traffic reported by Allot's
NTP infrastructure and sends small NTP requests DDoS Secure management console
to servers on the Internet, resulting in a very high-
volume of NTP responses. Since attackers spoof
the victim’s NTP infrastructure, all of the reflected/
amplified responses flood the victim’s NTP server.
The NTP response packets resemble real NTP
traffic, making this attack difficult to detect. The
amplification factor may reach 50X, resulting in
massive flooding which can take the NTP server or
the entire network offline.

Service Provider Potential Risks

Service Provider customers experience unpredictable
interruptions in connectivity due to attack taking down
the NTP server and/or the entire CSP network.

Attacker
NTP Server Target
Botnets

Learn how Allot

helps VOO fight NTP
Amplification attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 10
UDP FRAGMENTATION
WHAT IS UDP FRAGMENTATION?

UDP Fragmentation attacks send large

Attack pattern
UDP packets (1500+ bytes) which Attack pattern and matched traffic reported by Allot's
consume more network bandwidth. DDoS Secure management console
Since the fragmented packets usually
cannot be reassembled, they consume
significant resources on stateful devices
such as firewalls along the traffic path.
When combined with other types of
flood attacks, this may result in drop of
legitimate traffic by the destination server
being flooded.

Firewall is
overloaded, cannot
handle any new Service Provider Potential Risks
connections
Large fragmented UDP packets  SP customers experience connectivity
C
issues as a result of attack traffic congesting network
resources.

 SP remains unprotected for long hours

C
Target
due to overwhelmed perimeter defense elements
Attacker
which were brought down.
Legitimate users

Legitimate
cannot get through
Learn how Allot
Users helps VOO fight UDP
Fragmentation attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 11
UDP FLOOD
WHAT IS A UDP FLOOD?

In a UDP Flood, attackers send small spoofed UDP

Attack pattern
packets at a high rate to random ports on the Attack pattern and matched traffic reported by Allot's
victim’s system using a large range of source IPs. This DDoS Secure management console
consumes essential network element resources on
the victim’s network which are overwhelmed by the
large number of incoming UDP packets. Often victim
servers start to reply back with ICMP destination
unreachable packets. UDP attacks are difficult to
detect and block because they often do not match
a consistent pattern, and are therefore effective in
exhausting network resources until they go offline.

Attacker sends UDP

packets to victim Service Provider Potential Risks
with spoofed source
address Unpredictable network congestion caused by attack
traffic that is consuming bandwidth will affect network
UDP Datagram performance and customer QoE. If not detected, the
ICMP CSP may assume bandwidth capacity is not sufficient
destination for increasing demand, but this problem cannot
unreachable be solved by a bandwidth expansion or expensive
network infrastructure upgrade.
Attacker Target

Learn how Allot helps

BVU fight UDP Floods

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 12
PING FLOOD
WHAT IS A PING FLOOD?

In a Ping Flood, an attacker sends spoofed ICMP

Attack pattern
echo request (pings) packets at a high rate from Attack pattern and matched traffic reported by Allot's
random source IP ranges or using the victim’s IP DDoS Secure management console
address. Most devices on a network will, by default,
respond to the ping by sending a reply to the
source IP address. If numerous endpoints on the
network receive and respond to these pings, the
victim's IP addresses will be flooded with traffic
and their devices/computers/servers will become
unusable.

ICMP echo replies

(destination = victim’s IP)

Service Provider Potential Risks

ICMP echo request
(source = victim’s IP) Unpredictable network congestion caused by attack
traffic that is consuming bandwidth will affect network
performance and customer QoE. If not detected, a
CSP may assume bandwidth capacity is not sufficient
Victim for increasing demand, but this problem cannot
be solved by a bandwidth expansion or expensive
Attacker network infrastructure upgrade.

Learn how Allot helps

BVU fight UDP Floods

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 13
ACK FLOOD (OR ACK-PUSH FLOOD)
WHAT IS AN ACK FLOOD?

In an ACK or ACK-PUSH Flood, attackers send

Attack pattern
spoofed ACK (or ACK-PUSH) packets at very high Attack pattern and matched traffic reported by Allot's
packet rates. In other words, they acknowledge DDoS Secure management console
session requests that were never sent and do not
exist. Packets that do not belong to any existing
session on the victim’s firewall or any security
device along the path, generate unnecessary
lookups in the state tables. This extra load exhausts
system resources.

Service Provider Potential Risks

ACK (Spoofed) Once the ACK Flood succeeds in taking down
perimeter defense elements, CSP consumer and
Lookups enterprise customers as well as the CSP’s own services
remain unprotected and exposed to security threats
SYN-ACK (Spoofed) Victim until the attack is neutralized and systems are restored.
Attacker

Learn how Allot helps

an ISP in North America
stop ACK Floods

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 14
DNS FLOOD
WHAT IS A DNS FLOOD?

A DNS Flood sends spoofed DNS requests at a high

Attack pattern
packet rate and from a wide range of source IP Attack pattern and matched traffic reported by Allot's
addresses to the target network. Since the requests DDoS Secure management console
appear to be valid, the victim’s DNS servers respond
to all the spoofed requests, and their capacity can
be overwhelmed by the sheer number of requests.
This attack consumes large amounts of bandwidth
and other network resources. Eventually, it exhausts
the DNS infrastructure until it goes down, taking the
victim’s Internet access (WWW) and offline hosted
sites with it.

Service Provider Potential Risks

Spoofed DNS Query Big DNS Response
Customers lose access to the Internet in general or
to specific sites hosted by the CSP network causing
damage to CSP reputation and/or hosting SLAs.

Attacker
Open DNS Target
Botnets
Resolver
Learn how Allot helps a
National Broadband Carrier
in Africa stop DNS Floods

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 15
AMPLIFIED DNS FLOOD
WHAT IS AN AMPLIFIED DNS FLOOD?

An Amplified DNS Flood is a DNS attack on All of the reflected/amplified responses

Attack pattern
steroids! It takes advantage of the Open come back to flood the victim’s DNS Attack pattern and matched traffic reported by Allot's
Recursive DNS server infrastructure to server(s), which usually takes them offline. DDoS Secure management console
overwhelm the spoofed target victim with large Since the DNS requests and responses
volumes of traffic. The attacker sends small look 100% normal, this attack is most
DNS requests with a spoofed IP address to effectively detected by technologies based
open DNS resolvers on the Internet. The DNS on anomalies in Network Behavior – rather
resolvers reply to the spoofed IP address with than just packet inspection.
responses that are far larger than the request.

Small spoofed Amplified Response

DNS Request from Open DNS
Resolver

Service Provider Potential Risks

Customers lose access to the Internet in general or to
specific websites hosted by the CSP network causing
damage to CSP reputation and/or hosting SLAs.

Victim
Attacker
Server
Attacker Controlled
Botnet
Learn how Allot
helps VOO stop
Amplified DNS Floods

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 16
RST/FIN FLOOD
WHAT IS A RST/FIN FLOOD?

In TCP, a FIN packet says, “We’re done talking,

Attack pattern
please acknowledge” and waits for an ACK Attack pattern and matched traffic reported by Allot's
response. An RST packet says, “Session over” and DDoS Secure management console
resets the connection without an ACK. In an RST/
FIN Flood, attackers send a high rate of spoofed
RST or FIN packets in an attempt to use up
resources on the target.

Since the spoofed packets do not belong to any

session, they require victim servers or firewalls,
which rely on stateful traffic inspection, to
constantly look up and try to match them to an
existing session. These fruitless lookups eventually
exhaust system resources.

Service Provider Potential Risks

RST or FIN (Spoofed) Once the RST/FIN Flood succeeds in taking down
perimeter defense elements, CSP consumer and
Lookups enterprise customers as well as the CSP’s own services
remain unprotected and exposed to security threats
RST or FIN (Spoofed) Target until the attack is neutralized and systems are restored.

Attacker

Learn how Allot helps a

Tier-1 Operator in LATAM
fight RST/FIN Flood attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 17
SSDP REFLECTED AMPLIFICATION ATTACK
WHAT IS AN SSDP REFLECTED
AMPLIFIED ATTACK?
Attack pattern
Simple Service Discovery Protocol (SSDP) is a network. Vulnerable devices such as home Attack pattern and matched traffic reported by Allot's
network protocol that enables universal plug routers, firewalls, printers, access points DDoS Secure management console
and play (UPnP) devices to send and receive and the like, with UPnP service open to the
information using UDP on port 1900. As an Internet (1900 UDP port) respond with UPnP
open and non-secure protocol, SSDP is an “reply” packets sent to the spoofed IP address
attractive and vulnerable target for launching of victim’s network. The result is an effective
DDoS attacks. Attackers use bot-infected thirty-fold (30X) reflected amplification of the
machines to send UPnP “discovery” packets DDoS attack.
with spoofed IP addresses from the victim’s

IPS/APT

SLB/ADC Service Provider Potential Risks

Victim
WAF Once the SSDP Reflected Amplification attack succeeds
Attacker Target in taking down perimeter defense elements, CSP
consumer and enterprise customers as well as the
CSP’s own services remain unprotected and exposed
Botnets
to security threats until the attack is neutralized and
systems are restored.
STEP 1 STEP 2 STEP 3
Attacker sends Botnet is told to spoof IP Open devices respond with UPnP
command and address of victim’s network “reply” packets to victim’s spoofed Learn how Allot helps
control attack signals and send UPnP “discovery” network IP addresses. Enables a
to small botnet. packets to open devices. 30x amplification factor. an MSSP in Australia
stop SSDP Attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 18
IOT BOTNET ATTACK
WHAT IS AN IOT BOTNET ATTACK?

IoT botnets are created as hackers infect numerous Internet-connected (IoT) devices and recruit them
Attack pattern
to launch large-scale DDoS attacks that have been measured in Terabits/sec! These attacks are difficult Attack pattern and matched traffic reported by Allot's
to detect and mitigate because they use hit-and-run tactics that originate from numerous IoT vectors DDoS Secure management console
distributed across many locations – often worldwide.

IoT botnets utilize malware source code that was leaked in early 2015 and has been parlayed into many
variants. The most infamous of these is called “Mirai.” In a Mirai botnet attack, the attacker scans for
vulnerable IoT devices such as digital surveillance cameras, modems, and DVR players (with open L4
ports), and employs a sequence of known passwords to gain access. Once inside, the attacker downloads
the malicious code, which enables remote control of the device and the ability to recruit it for attacks.

Bot
Commander

Baby
Monitor
Hacker
Service Provider Potential Risks
Surveillance
Camera CSPs risk protracted service interruption due to server
Target outages that make critical DNS and other services
Infected Bot Home/Office unresponsive. Or worse, they risk a complete network
Routers outage.

STEP 1 STEP 2 STEP 3 STEP 4

Hacker or infected Compromised Bot commander Massive DDoS
bot scans and gains device downloads takes control of attack launched Learn how Allot stopped
access by brute
force login sequence
malicious code infected devices by army of bots
IoT DDoS Attacks Powered
by Mirai

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 19
LDAP AMPLIFICATION ATTACK
WHAT IS AN LDAP AMPLIFICATION ATTACK?

LDAP Amplification attacks leverage the Lightweight Directory Access Protocol (LDAP)
Attack pattern
which is used by Microsoft Active Directory and millions of organizations to verify Attack pattern and matched traffic reported by Allot's
username and password information and permit access to applications. The attacker sends DDoS Secure management console
small requests to a publicly available vulnerable LDAP server with open TCP port 389 in
order to produce large (amplified) replies, reflected to a target server. The attacker spoofs
the source IP address so that the request appears to have originated from the target server,
thereby making the LDAP server “reply” to the target. Attackers select the queries that will
yield the largest replies resulting in an effective fifty-fold (50X) amplification of the reflective
DDoS attack.

Service Provider Potential Risks

CSP customers will experience protacted service
Small LDAP Query Big LDAP Response
interruption due to extreme network congestion
Source IP spoofed to be target IP caused by the bombardment of critical services with
numerous LDAP responses potentially exceeding tens
of terabits per second.

Attacker LDAP Server Target

Learn how Allot helps

MSSP in Australia stop
LDAP Amplification Attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 20
CLDAP REFLECTION ATTACK
WHAT IS A CLDAP REFLECTION ATTACK?

A CLDAP Reflection Attack exploits the CLDAP Reflection attacks are powerful (up to
Attack pattern
Connectionless Lightweight Directory Access 70X amplification) and of short duration (hit Attack pattern and matched traffic reported by Allot's
Protocol (CLDAP), which is an efficient and run) and often result in service outages. DDoS Secure management console
alternative to LDAP queries over UDP. They are also used as a diversion for backdoor
attacks that seek to obtain or compromise
Attacker sends an CLDAP request to a LDAP personally identifiable data in the LDAP
server with a spoofed sender IP address (the database (port 389).
target’s IP). The server responds with a
bulked-up response to the target’s IP causing
the reflection attack. The victim’s machine
cannot process the massive amount of CLDAP
data at the same time.

Service Provider Potential Risks

CSP customers will experience protracted service
Small CLDAP query Big CLDAP response
interruption due to extreme network congestion
Source IP spoofed to be target IP caused by the bombardment of critical services with
numerous CLDAP responses potentially exceeding
tens of Terabits per second.

Attacker LDAP Server Target

Learn How Allot helped

MSSP in Australia stop
CLDAP Reflection Attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 21
CHARGEN REFLECTIVE FLOOD
WHAT IS A CHARGEN REFLECTIVE FLOOD ATTACK?

CHARGEN Reflection attacks take advantage of the Character Generation Protocol,

Attack pattern
originally designed for troubleshooting, which allows sending a random number of Attack pattern and matched traffic reported by Allot's
characters. The attacker send tens of thousands of CHARGEN requests by utilizing botnets DDoS Secure management console
to one or more publicly-accessible systems offering the CHARGEN service.

The requests use the UDP protocol and the spoofed IP address of the target. The CHARGEN
service replies with tens of thousands of replies to the target. Since the protocol allows
replies of random size, there is an amplification factor which could potentially reach 1024X.

Service Provider Potential Risks

1 2
Unpredictable network congestion, caused by attack
traffic that is consuming bandwidth, negatively
impacts network performance and customer QoE. If
not detected, CSPs may assume bandwidth capacity
is not sufficient for increasing demand, but this
Attacker Open Target problem cannot be solved by bandwidth expansion or
CHARGEN expensive network infrastructure upgrades.
Service

1 CHARGEN UDP request to CHARGEN service with target’s IP as source IP Learn how Allot
helped stop CHARGEN
CHARGEN service sends UDP replay to target
2
Reflective Flood Attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 22
SNMP REFLECTED AMPLIFICATION ATTACK
WHAT IS AN SNMP REFLECTED AMPLIFICATION ATTACK?
Attack pattern
SNMP reflected amplification attacks leverage the Simple Network Management Protocol Attack pattern and matched traffic reported by Allot's
(SNMP) used for configuring and collecting information from network devices like servers, DDoS Secure management console
switches, routers and printers. Similar to other reflection attacks, the attacker uses SNMP
to trigger a flood of responses to the target. The perpetrator sends out a large number of
SNMP queries with a spoofed IP address (the target’s) to numerous connected devices that,
in turn, reply to that forged address.

The attack volume grows as more and more devices continue to reply, until the target
network is brought down under the collective volume of these SNMP responses. The
responses themselves can be greatly amplified and produce even higher traffic volumes.
The amplification factor can be as high as 1700.

Service Provider Potential Risks

An SNMP Reflected Amplification attack aimed at one
target can effectively clog the CSP network pipes
64 B 10,368 B and jeopardize the QoE delivered to many innocent
SNMP Botnets bystanders.

Learn how Allot helped

stop SNMP Reflected
Attacker Target Amplification Attack

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 23
TSUNAMI SYN FLOOD
WHAT IS A TSUNAMI SYN FLOOD ATTACK?

A SYN flood attack is a flood of multiple TCP SYN messages requesting to initiate a
connection between the source system and the target, filling up its state table and
exhausting its resources. The Tsunami SYN flood attack is a flood of SYN packets containing
about 1,000 bytes per packet as opposed to the low data footprint a regular SYN packet
would usually contain.

Since the TCP RFC puts no limitation on the amount of data that a SYN packet can carry,
hackers can add data and produce packets that are larger by a factor of 25.

Service Provider Potential Risks

HTTP GET / index.php When carried out using bot machines the SYN Flood
attack can not only take down perimeter defense
HTTP GET / index.php elements leaving the network unprotected, but
also congest the infrastructure affecting network
performance and customer QoE.
HTTP GET / index.php

Attacker Botnets HTTP GET / index.php Web Server

Learn how Allot
helped stop Tsunami
SYN Flood Attacks

© 2018 Allot Communications, Ltd. All rights reserved | DDoS Attack Handbook - Service Providers 24
DDoS ATTACK HANDBOOK
Service Providers

About Allot

Allot Communications Ltd. (NASDAQ, TASE: ALLT) is a provider of leading innovative network intelligence and security
solutions for service providers worldwide, enhancing value to their customers. Our solutions are deployed globally for
network and application analytics, traffic control and shaping, network-based security services, and more. Allot’s multi-
service platforms are deployed by over 500 mobile, fixed and cloud service providers and over 1000 enterprises. Our industry
leading network-based security as a service solution has achieved over 50% penetration with some service providers and is
already used by over 18 million subscribers in Europe. Allot. See. Control. Secure.

D265053 Rev.1
www.allot.com

© 2018 Allot Communications, Ltd. All rights reserved. Specifications subject to change without notice. Allot Communications and the Allot
logo are registered trademarks of Allot Communications. All other brand or product names are trademarks of their respective holders.