Kemp Flowmon DDoS Defender
Kemp Flowmon DDoS Defender provides AI-based detection and automated incident response based on predefined scenarios to save effort and time. It uses flow data and a combination of infrastructure and/or third-party mitigation to equip ISPs with DDoS protection that scales easily and maximizes prior infrastructure investments.
Request a Trial of DDoS Defender
Kemp Flowmon DDoS Defender
The DDoS Defender:
  • Offers highly scalable DDoS detection
  • Reduces the number of false positives thanks to adaptive baselining
  • Triggers different mitigation scenarios depending on attack structure and magnitude
  • Integrates with a large number of mitigation appliances and cloud scrubbing services
Customers using DDos defender

Key Features and Benefits

Scaling with business

Scaling easily with business requirements, saving costs by using less resources on response.

Less operational workload

Detection based on machine learning means less tuning of manual detections.

Low rate of false positives

Adaptive baselines and thresholds combined with the unique capability to learn from past false positives results in a small number of false positives altogether.

Early threat alerting

10 second detection thanks to stream data processing.

Automated response

Fully automated, but always under control, or manual and supervised.

MSP ready

Fully multitenant, with enabled whitelabeling, ready to use to provide professional services.


Native integrations with top mitigation vendors means you can choose what you prefer and we’ll always be supportive of your decision.

How Flowmon DDoS Defender Works

Protected tenant

The protection starts with a tenant definition, which can be a customer or service, or protected segment that can be defined by a subnet or autonomous system number (ASN). Every protected segment can have its own custom rules that dictate the specific conditions for attack detection and method of mitigation.


The DDoS Defender features different types of baselines for every tenant and different components of traffic. The actual detection thresholds are adaptive, which means they are automatically calculated so that they copy the natural contour of peace traffic without requiring input from the user. Depending on the specific case, manual thresholds can be used as well.

Alert & Analysis

When an attack is detected, the system notifies both the user and whichever additional system incorporated into the defense matrix. By drilling down into the attack detail, the user can access additional information, such as the type of attack, timeframe, traffic line, threshold, etc., with the possibility to see minute detail such as which destination IPs are under attack, or the attack origin (e.g. country, subnet, router or interface).


The detection of an attack is followed by automatic mitigation. The DDoS Defender uses Policy-Based Routing (PBR), Border Gateway Protocol (BGP) or BGP Flowspec to divert traffic to a variety of supported scrubbing equipment from major vendors. In addition, BGP Flowspec or a Remotely-Triggered Black Hole (RTBH) can be used to mitigate attacks using existing infrastructure only.

Mitigation tiering

Mitigation tiering is a smart approach to DDoS defense that maximizes the mitigation capabilities of existing infrastructure. Attacks will be handled locally and only when the in-house mitigation capabilities are exceeded (i.e. a threshold for local mitigation is exceeded), the attack traffic will be diverted to a cloud scrubber.

Detection capabilities

As mentioned above, the system can set up adaptive baselines for each segment, which markedly reduces the number of false positives by eliminating cases where legitimate peak traffic is detected as an attack.

Thresholds are calculated automatically, with no need of manual input from the user, and come in two levels of sensitivity - suspect or attack.

The DDoS Defender also monitors peace traffic during an ongoing attack to determine a much more precise attack signature and provide a more accurate picture of its structure and better insight for mitigation.

Custom detection rules can be set up to very fine detail to tailor the system to the user’s specific circumstances. Subrule templates are available for easier configuration.

Incident reporting and analytics

Attacks are displayed in groups by status. 

An expanded detail shows full information about each attack - complete with status, length and timeline.The user has the option to whitelist a segment to exempt a range of assets from DDoS attack detection. Detailed statistics about the total of pre-attack and attack traffic are available, as is a communication chart of flows passing between the attacker and victim to provide an accurate attack analysis.

Incident response

The DDoS Defender can use a variety of techniques for attack mitigation:

  • BGP (Border Gateway Protocol) - A standard internet routing protocol. It is used for defining re-routing rules on network routers.
  • BGP Flowspec - A  more granular alternative to BGP. Allows more advanced filtering using additional parameters, such as source address, ports, etc. Flowmon DDoS Defender provides a dynamic signature of the attack to routers with BGP Flowspec capabilities, which either redirect the attack, or mitigate only the traffic that corresponds with the signature defined BGP Flowspec rules.
  • PBR (Policy-Based Routing) - Rerouting based on a defined set of policies. An alternative to BGP when prefered by service provider. 
  • Additionally, RTBH (Remotely Triggered Black Hole) filtering is available as a simple method of attack mitigation. It is used to drop the undesirable attack traffic at the edge of the network based on destination IP addresses. 

The most common scenario is where DDoS Defender is deployed in tandem with an out-of-band mitigation appliance or scrubbing service. Flowmon carries out the detection and analysis, while the 3rd-party solution deals with the attack itself based on data from Flowmon.


The system is multitenant, where each tenant has different detection and mitigation presets and reporting. Individual tenants are defined via segments and allow segment grouping, different access rights for each tenant or group, and each tenant has access to their own data.


There are many possibilities to integrate the solution with complementary security tools and platforms, whether it is through syslog, SNMP, email, REST API or custom scripts. Flowmon serves as a critical source of information to log management, SIEM, big data platforms, attack blocking or BGP Flowspec mitigation

DDoS attack blocking

The DDoS Defender integrates with the mitigation appliances of multiple vendors and cloud scrubbing services.

  • F5 Networks
  • Radware
  • A10 Networks
  • Corsa Networks
  • Corero Networks
  • NaWas cloud scrubbing service
BGP Flowspec mitigation

This is a standard method that mitigates attacks by leveraging advanced traffic filtering at routers. It operates with dynamic attack signatures and triggers actions according to the network traffic. BGP Flowspec rules can be based on:

  • Destination prefix
  • Source prefix
  • IP protocol
  • Destination port
  • ICMP type
  • ICMP code
Logging and reporting

Feed your log management or SIEM system with comprehensive logging with context-rich syslog or SNMP messages. Maximize visibility across the IT environment or log events into your ticketing tools automatically.

Check the partners
Network telemetry

Leverage your existing infrastructure as sensors that generate NetFlow, IPFIX, sFlow, jFlow or NetStream from network devices and other data sources such as public cloud platforms, firewalls, virtualization platforms and packet brokers.

and more

DDoS Defender Features

Full Mitigation Control
All actionable scenarios may be triggered automatically under the full supervision of an engineer, who can decide to revert the changes or modify mitigation rules at any given point. The process can also be carried out manually.
Mitigation Tiering
Apply different mitigation strategies based on the attack characteristics. Mitigate all attacks up to capacity of your on-prem mitigation appliance and let the rest of the traffic be redirected to a cloud scrubbing service. No manual input needed, everything is fully automated.
BGP Flowspec

When an event has been detected, Flowmon creates attack patterns and injects them as rules to routers, which can then redirect, forward, drop or rate-limit traffic and more. Rules can be manually adjusted at any given point and all the changes are automatically reverted back after the attack ends.

Learn More
Native Scrubbing Center Support

Flowmon DDoS Defender natively supports all the major vendors in the scrubbing centre market. The configuration itself is a matter of picking the vendor's name from a drop-down menu. Integration with the vendor is always kept up to date.

Learn More
Manual Thresholds
Manual thresholds are simple rules that alert when traffic with specific characterestics reaches undesirable point. Administrators are notified in advance so they can take appropriate actions and stay ahead of problems.
Comprehensive Network Visibility

The DDoS Defender comes as a package with full network performance monitoring and diagnostic functionality. This enables tracking latency degradation, traffic structure analysis for capacity planning, traffic engineering and QoS monitoring.


Divide the traffic into logical portions per tenant, location or network path. All the consecutive detection methods, reporting and triggered actions are set in line with the specific needs for that traffic (blackholing, redirection for scrubbing etc.).

Learn More
Advanced Action Triggering

Choose from a variety of options: from an email alert or a syslog message to traffic redirection into a RTBH, 3rd party scrubbing centre; additionally, traffic dropping is an option too, and rate-limiting using BGP Flowspec. Mitigate traffic automatically or manually to ensure no downtimes and latency drops, and create different rules for different tenants or types of traffic.

Machine Learning

The system learns traffic patterns for different protocols and creates adaptive baselines. Two baselines are modelled: suspicion of an attack and an actual attack. This off-the-shelf functionality ensures real-time detection with a low number of false positives.

Learn More

Customers Using the DDoS Defender

"We’ve been working with Flowmon for over 3 years now. What makes our organizations similar is a strong focus on innovation. This is why they have always understood our needs and we can rely on their technology and support at all times..."

Check the GÉANT case study
Evangelos Spatharas Head of Security

"The combination of great value for money, our experience with the vendors’ support and their feature-set sealed our decision. Flowmon provides the flexibility we need to grow with our clients’ future business needs."

Check the Equinix Case Study
Joost Westerbeek IT Network Engineer