Distributed Denial of Service (DDoS) is a cyber attack aimed at an asset connected to the Internet, typically with the intention to disrupt the services it delivers. A volumetric attack is a type of DDoS that uses a volume of requests that is higher than the appliance can process.
Protection of high-speed networks and a successful mitigation of DDoS attacks is one of the key challenges for ISPs. When the attack reaches its target, it is too late for any effective resolution on their side. Timely detection is therefore paramount, and instant steps must be taken to save the network from overloading. Flowmon DDoS Defender can help with volumetric DDoS attacks.
The most common type of protection is DDoS mitigation, which consists of two steps: DDoS attack detection followed by impact reduction. DDoS mitigation can be categorized by the location of the mitigation solution:
Flowmon processes flow data in a stream, which means DDoS attack detection is near real-time. Depending on the flow timeout settings, attacks can be detected in as little as 10 seconds since the set traffic threshold is exceeded.
The heart of the Flowmon solution is Flowmon Collector, which gathers network traffic data, and Flowmon Monitoring Center, which analyzes it and provides detailed statistics and reports - see more NPMD. Flowmon Collector is complemented by the Flowmon DDoS Defender module that uses advanced threat intelligence to analyze flow data from the Collector to specifically detect volumetric (flood-based) attacks and bandwidth consumption.
In case of an unexpected increase of network traffic, Flowmon collects detailed information for later reference, such as top ten source IP addresses, subnets, autonomy systems and countries, L4 protocols, and interfaces. At the same time, it triggers actions to start attack mitigation. The actions can be configured individually for various network segments, services or users, and can include:
Thanks to a robust and versatile architecture, Flowmon DDoS Defender can be deployed either as a standalone solution, or in combination with 3rd party out-of-path mitigation, both physical and cloud.
The solution supports user-defined scripts that can perform virtually any action. This is useful for example when mitigating within SDN. For 3rd party integrations, a script can execute API calls to share baselines and configuration of the mitigation appliances.
Flowmon offers verified and tested integrations with the following vendors of mitigation appliances and cloud scrubbing services:
Besides vendor-provided mitigation, traffic re-routing using several techniques is also possible:
Xantaro, a company that develops and integrates hi-tech network solutions, devised a system for an OpenStack use case with the support of Flowmon. Flowmon's DDoS Defender supports a mitigation method that triggers a shell script upon DDoS attack detection. Xantaro combined the detection technology of Flowmon with the industry-leading SDN controller OpenDaylight to push a mitigation filter onto the switch(es) that detected the attack. When the attack is over, Flowmon notes it and the mitigation is automatically lifted.