Detection capabilities
As mentioned above, the system can set up adaptive baselines for each segment, which markedly reduces the number of false positives by eliminating cases where legitimate peak traffic is detected as an attack.
Thresholds are calculated automatically, with no need of manual input from the user, and come in two levels of sensitivity - suspect or attack.
The DDoS Defender also monitors peace traffic during an ongoing attack to determine a much more precise attack signature and provide a more accurate picture of its structure and better insight for mitigation.
Custom detection rules can be set up to very fine detail to tailor the system to the user’s specific circumstances. Subrule templates are available for easier configuration.
Incident reporting and analytics
Attacks are displayed in groups by status.
An expanded detail shows full information about each attack - complete with status, length and timeline.The user has the option to whitelist a segment to exempt a range of assets from DDoS attack detection. Detailed statistics about the total of pre-attack and attack traffic are available, as is a communication chart of flows passing between the attacker and victim to provide an accurate attack analysis.
Incident response
The DDoS Defender can use a variety of techniques for attack mitigation:
- BGP (Border Gateway Protocol) - A standard internet routing protocol. It is used for defining re-routing rules on network routers.
- BGP Flowspec - A more granular alternative to BGP. Allows more advanced filtering using additional parameters, such as source address, ports, etc. Flowmon DDoS Defender provides a dynamic signature of the attack to routers with BGP Flowspec capabilities, which either redirect the attack, or mitigate only the traffic that corresponds with the signature defined BGP Flowspec rules.
- PBR (Policy-Based Routing) - Rerouting based on a defined set of policies. An alternative to BGP when prefered by service provider.
- Additionally, RTBH (Remotely Triggered Black Hole) filtering is available as a simple method of attack mitigation. It is used to drop the undesirable attack traffic at the edge of the network based on destination IP addresses.
The most common scenario is where DDoS Defender is deployed in tandem with an out-of-band mitigation appliance or scrubbing service. Flowmon carries out the detection and analysis, while the 3rd-party solution deals with the attack itself based on data from Flowmon.
Multitenancy
The system is multitenant, where each tenant has different detection and mitigation presets and reporting. Individual tenants are defined via segments and allow segment grouping, different access rights for each tenant or group, and each tenant has access to their own data.