When it comes to detecting DDoS and botnet traffic, you need to get it right. Right away.

Your security appliances are constantly on the lookout for traffic irregularities that could spell trouble. When monitoring networks for traffic anomalies, you need to be able to distinguish between malicious flooding and legitimate traffic spikes. Otherwise, you run the risk of over-blocking and angering your users. And when a bona fide attack is detected, it has to be neutralized right away, without blocking or limiting legitimate traffic flows that are sharing the same network resource, often behind a NAT IP. Allot’s advanced anomaly detection technologies – Network Behavior Anomaly Detection (NBAD) and Host Behavior Anomaly Detection (HBAD) – do both. These patented technologies power Allot DDoS Protection and Bot Containment solutions which are deployed in service provider and enterprise networks worldwide, where they provide a first line of defense against cyber threats.

Network Behavior Anomaly Detection (NBAD)

Allot’s patented NBAD technology identifies DDoS and other network flooding events by the anomalies they cause in the normally time-invariant behavior of “network ratios” i.e., combinations of Layer 3 and 4 packet rate statistics. Packet filtering rules are obtained dynamically by searching deep into the captured DDoS packets for unique repeating patterns in each event. Surgical filtering accuracy is often achieved using the patterns detected in the Layer 3 and 4 headers and layer 7 payload. Allot accurately detects network traffic anomalies caused by:

  • High packet rate
  • Small packet size or large packet size
  • Fan-in (many IPs to one IP), typical of DDoS attacks
  • Fan-out (one IP to many IPs)
  • DoS (one IP to one IP)
  • TCP-based incidents (SYN, FIN, ACK, RST, invalid flag combinations)
  • UDP-based incidents
  • ICMP (including echo request, echo reply, unreachable)
  • Other incidents (non-TCP, UDP or ICMP)
  • Incidents Involving fragmented, truncated or malformed packets
  • Various amplification attacks

Allot NBAD technology detects network traffic anomalies and creates attack pattern signatures in 20-50 seconds; notifies you of the attack via email, syslog, and SNMP trap (v2c), and immediately begins surgical mitigation. The inline deployment of Allot DDoS Protection solutions means that flooding attacks are stopped on the spot at the edge of your network, without having to divert huge volumes of traffic to cloud scrubbing centers.

Host Behavior Anomaly Detection (HBAD)

Allot’s patented HBAD technology detects hosts or endpoints that are generating abnormal levels of outbound connection activity such as outbound spam, as well as host traffic that exhibits malicious connection patterns matching malware infection or abusive behavior. Allot accurately detects host traffic anomalies caused by:

  • Address scan
  • Port scan
  • Flow bomb (bombarding the same target IP and port with a high number of flows)
  • Mass SMTP (address scanning or flow bombs to 25/TCP)
  • Mass DNS (address scanning or flow bombs to 53/UDP)
  • Mass ICMP (including echo request, echo reply, unreachable)

Allot HBAD technology detects anomalous host traffic in 3-5 minutes, sending notification that allows you to surgically block or limit the outbound traffic. Only anomalous traffic is blocked, even when the source of an attack is behind a NAT IP (when Allot’s DPI is deployed on the private IP space). Allot’s solution can also redirect the infected host to a captive portal for clean-up, enabling you to treat the problem at the source instead of just the symptom. Read how our NBAD and HBAD technologies, embedded in Allot’s multiservice platform, are helping network carriers thwart DDoS attacks and prevent IP domain blacklisting.