Scaling easily with business requirements, saving costs by using less resources on response.
Detection based on machine learning means less tuning of manual detections.
Adaptive baselines and thresholds combined with the unique capability to learn from past false positives results in a small number of false positives altogether.
10 second detection thanks to stream data processing.
Fully automated, but always under control, or manual and supervised.
Fully multitenant, with enabled whitelabeling, ready to use to provide professional services.
Native integrations with top mitigation vendors means you can choose what you prefer and we’ll always be supportive of your decision.
The protection starts with a tenant definition, which can be a customer or service, or protected segment that can be defined by a subnet or autonomous system number (ASN). Every protected segment can have its own custom rules that dictate the specific conditions for attack detection and method of mitigation.
The DDoS Defender features different types of baselines for every tenant and different components of traffic. The actual detection thresholds are adaptive, which means they are automatically calculated so that they copy the natural contour of peace traffic without requiring input from the user. Depending on the specific case, manual thresholds can be used as well.
When an attack is detected, the system notifies both the user and whichever additional system incorporated into the defense matrix. By drilling down into the attack detail, the user can access additional information, such as the type of attack, timeframe, traffic line, threshold, etc., with the possibility to see minute detail such as which destination IPs are under attack, or the attack origin (e.g. country, subnet, router or interface).
The detection of an attack is followed by automatic mitigation. The DDoS Defender uses Policy-Based Routing (PBR), Border Gateway Protocol (BGP) or BGP Flowspec to divert traffic to a variety of supported scrubbing equipment from major vendors. In addition, BGP Flowspec or a Remotely-Triggered Black Hole (RTBH) can be used to mitigate attacks using existing infrastructure only.
Mitigation tiering is a smart approach to DDoS defense that maximizes the mitigation capabilities of existing infrastructure. Attacks will be handled locally and only when the in-house mitigation capabilities are exceeded (i.e. a threshold for local mitigation is exceeded), the attack traffic will be diverted to a cloud scrubber.
As mentioned above, the system can set up adaptive baselines for each segment, which markedly reduces the number of false positives by eliminating cases where legitimate peak traffic is detected as an attack.
Thresholds are calculated automatically, with no need of manual input from the user, and come in two levels of sensitivity - suspect or attack.
Custom detection rules can be set up to very fine detail to tailor the system to the user’s specific circumstances. Subrule templates are available for easier configuration.
Attacks are displayed in groups by status.
An expanded detail shows full information about each attack - complete with status, length and timeline.The user has the option to whitelist a segment to exempt a range of assets from DDoS attack detection. Detailed statistics about the total of pre-attack and attack traffic are available, as is a communication chart of flows passing between the attacker and victim to provide an accurate attack analysis.
The user has the option to whitelist a chosen segment to exempt it from DDoS attack detection.
The DDoS Defender can use a variety of techniques for attack mitigation:
The most common scenario is where DDoS Defender is deployed in tandem with an out-of-band mitigation appliance or scrubbing service. Flowmon carries out the detection and analysis, while the 3rd-party solution deals with the attack itself based on data from Flowmon.
The system is multitenant, where each tenant has different detection and mitigation presets and reporting. Individual tenants are defined via segments and allow segment grouping, different access rights for each tenant or group, and each tenant has access to their own data.
There are many possibilities to integrate the solution with complementary security tools and platforms, whether it is through syslog, SNMP, email, REST API or custom scripts. Flowmon serves as a critical source of information to log management, SIEM, big data platforms, attack blocking or BGP Flowspec mitigation.
The DDoS Defender integrates with the mitigation appliances of multiple vendors and cloud scrubbing services.
This is a standard method that mitigates attacks by leveraging advanced traffic filtering at routers. It operates with dynamic attack signatures and triggers actions according to the network traffic. BGP Flowspec rules can be based on:
Feed your log management or SIEM system with comprehensive logging with context-rich syslog or SNMP messages. Maximize visibility across the IT environment or log events into your ticketing tools automatically.
Leverage your existing infrastructure as sensors that generate NetFlow, IPFIX, sFlow, jFlow or NetStream from network devices and other data sources such as public cloud platforms, firewalls, virtualization platforms and packet brokers.
When an event has been detected, Flowmon creates attack partners and injects them as rules to routers, which can then redirect, forward, drop or rate-limit traffic and more. Rules can be manually adjusted at any given point and all the changes are automatically reverted back after the attack ends.
Flowmon DDoS Defender natively supports all the major vendors in the scrubbing centre market. The configuration itself is a matter of picking the vendor's name from a drop-down menu. Integration with the vendor is always kept up to date.
The DDoS Defender comes as a package with full network performance monitoring and diagnostic functionality. This enables tracking latency degradation, traffic structure analysis for capacity planning, traffic engineering and QoS monitoring.
Divide the traffic into logical portions per tenant, location or network path. All the consecutive detection methods, reporting and triggered actions are set in line with the specific needs for that traffic (blackholing, redirection for scrubbing etc.).
Choose from a variety of options: from an email alert or a syslog message to traffic redirection into a RTBH, 3rd party scrubbing centre; additionally, traffic dropping is an option too, and rate-limiting using BGP Flowspec. Mitigate traffic automatically or manually to ensure no downtimes and latency drops, and create different rules for different tenants or types of traffic.
The system learns traffic patterns for different protocols and creates adaptive baselines. Two baselines are modelled: suspicion of an attack and an actual attack. This off-the-shelf functionality ensures real-time detection with a low number of false positives.
"We’ve been working with Flowmon for over 3 years now. What makes our organizations similar is a strong focus on innovation. This is why they have always understood our needs and we can rely on their technology and support at all times..."
"The combination of great value for money, our experience with the vendors’ support and their feature-set sealed our decision. Flowmon provides the flexibility we need to grow with our clients’ future business needs."