Inline DDoS Mitigation: Could the Massive Amazon AWS Attack Have Been Avoided?

Terabit(s) per second DDoS attacks have not disappeared. Perhaps they were just taking a rest. AWS just reported a 2.3 Tbps attack earlier this year that tried to knock out cloud services over the course of 3 days during February.

As reported on, “To put the scale of the attempt in context, it is nearly double the 1.3 Tbps attack that blasted GitHub offline in 2018, or the circa 1 Tbps Mirai botnet DDoS that famously knocked Dyn offline in 2016.”

DDoS attacks getting bigger & smarter

Nobody should have to put up with these kinds of attacks. But cloud providers, ISPs, CSPs, and enterprises of every size and shape are at risk for these targeted attacks. With 5G coming, these attacks are only going to get worse. The pipe will be larger, the edge points of attack more widespread and the attack surface of countless IoT devices will be, well, countless.

As reported, this was a reflection attack where legitimate requests are sent to some server, using a spoofed return IP address of the intended victim. The victim is flooded with huge amounts of unanticipated response data, in this example 2.3 trillion bits per second, which, if not mitigated instantly, can bring down most services.

DDoS mitigation solutions

Fortunately, there are solutions. Most DDoS mitigation solutions, however, are focused on incoming traffic, which they periodically sample and then reroute to scrubbing centers when attacks are detected.

This approach has 3 problems. Sampling, unlike inline inspection, can miss small hit-and-run attacks which can bring down service quality and even complete services. Rerouting traffic to and from scrubbing centers introduces latency which can negatively impact the end-user quality of experience. Finally, focusing on incoming attacks will completely miss outgoing attacks launched from devices on your network.

DDoS Secure from Allot

Far more effective solutions are inline solutions like Allot’s DDoS Secure, which inspects every packet of data, quickly detect anomalous traffic behavior, even if never seen before, and discards the offending packets regardless of attack size, before they can impact services and end-user experience.

For example, DDoS Secure blocked CLDAP and even blocked the notorious Memcached attack at several customer sites, before anyone knew what it was!

It is important to note that, when people talk and think about DDoS, they are generally thinking about incoming attacks, like the CLDAP attack at AWS, where they are the targets.

Outbound DDoS attacks

However, there is another kind of DDoS attack that CSPs must consider as well. These are the outgoing attacks where home consumer devices, enterprise/IoT devices, and mobile devices of all kinds, are subverted to launch attacks via your CSP network, making you, the CSP, appear to be the source of the attack. This can seriously harm your reputation and can potentially bring down your network services.

To find out more about Allot’s carrier-grade inline DDoS solution, please visit

To learn more about common types of DDoS attacks including the CLDAP attack, you can download our DDoS Handbook, where we explain many kinds of DDoS attacks.

*** This is a Security Bloggers Network syndicated blog from Allot Blog authored by Itay Glick. Read the original post at: