Search
Online DemoRequest Free TrialContact Sales
Flowmon

Volumetric DDoS Protection

Distributed Denial of Service (DDoS) is a cyber attack aimed at an asset connected to the Internet, typically with the intention to disrupt the services it delivers. A volumetric attack is a type of DDoS that uses a volume of requests that is higher than the appliance can process.

Protection of high-speed networks and a successful mitigation of DDoS attacks is one of the key challenges for ISPs. When the attack reaches its target, it is too late for any effective resolution on their side. Timely detection is therefore paramount, and instant steps must be taken to save the network from overloading. Flowmon DDoS Defender can help with volumetric DDoS attacks.

Attack mitigation

The most common type of protection is DDoS mitigation, which consists of two steps: DDoS attack detection followed by impact reduction. DDoS mitigation can be categorized by the location of the mitigation solution:

  • In-line solutions such as firewalls are essential as the “last mile protection” that can detect sophisticated attacks focused on the application layer. However, this type of solution does not scale very well, which is especially problematic for ISPs who need to protect many uplinks with significant throughput.
  • Out-of-path mitigation combined with IPFIX/NetFlow-based detection provides high scalability and cost efficiency, and is therefore suitable for large networks with multiple peering partners and bandwidth of tens of gigabits per second.
  • Cloud mitigation services offer either always-on or on-demand scrubbing. Combining out-of-path detection with on-demand cloud mitigation provides optimum protection at a favorable price compared to always-on service.

Near real-time protection

Flowmon processes flow data in a stream, which means DDoS attack detection is near real-time. Depending on the flow timeout settings, attacks can be detected in as little as 10 seconds since the set traffic threshold is exceeded.

Protection components

The heart of the Flowmon solution is Flowmon Collector, which gathers network traffic data, and Flowmon Monitoring Center, which analyzes it and provides detailed statistics and reports - see more NPMD. Flowmon Collector is complemented by the Flowmon DDoS Defender module that uses advanced threat intelligence to analyze flow data from the Collector to specifically detect volumetric (flood-based) attacks and bandwidth consumption.

How it works

In case of an unexpected increase of network traffic, Flowmon collects detailed information for later reference, such as top ten source IP addresses, subnets, autonomy systems and countries, L4 protocols, and interfaces. At the same time, it triggers actions to start attack mitigation. The actions can be configured individually for various network segments, services or users, and can include:

  • alerting admins (via e-mail, syslog, or SNMP trap),
  • diverting the traffic (via policy-based routing, border gateway protocol, or a remotely triggered black hole), 
  • executing scripts,
  • re-routing the attack to a specific out-of-band DDoS mitigation system,
  • performing automatic mitigation by a partner’s solution.

Out-of-path integration

Thanks to a robust and versatile architecture, Flowmon DDoS Defender can be deployed either as a standalone solution, or in combination with 3rd party out-of-path mitigation, both physical and cloud. 

The solution supports user-defined scripts that can perform virtually any action. This is useful for example when mitigating within SDN. For 3rd party integrations, a script can execute API calls to share baselines and configuration of the mitigation appliances. 

Flowmon offers verified and tested integrations with the following vendors of mitigation appliances and cloud scrubbing services: 

  • F5 Networks
  • Radware
  • A10 Networks
  • Corsa Networks
  • Corero Networks
  • NaWas cloud scrubbing service

Besides vendor-provided mitigation, traffic re-routing using several techniques is also possible:

  • BGP (Border Gateway Protocol) - A standard internet routing protocol. It is used for defining re-routing rules on network routers.
  • BGP Flowspec - An improvement over BGP. Allows more advanced filtering using additional parameters, such as source address, ports, etc. Flowmon DDoS Defender provides a dynamic signature of the attack to routers with BGP Flowspec capabilities, which either redirect the attack, or mitigate only the traffic that corresponds with the signature defined BGP Flowspec rules.
  • PBR (Policy-Based Routing) - Rerouting based on a defined set of policies. Allows more details than traditional IP-based routing, as well as greater control in different situations.
  • Additionally, RTBH (Remotely Triggered Black Hole) filtering is available as a simple method of attack mitigation. It is used to drop the undesirable attack traffic at the edge of the network based on destination or source IP addresses.
DDoS attack Out-of-Band Mitigation Scenario visualisation
Out-of-band DDoS Attack mitigation scenario visualization

Protection in SDN Environment

Xantaro, a company that develops and integrates hi-tech network solutions, devised a system for an OpenStack use case with the support of Flowmon. Flowmon's DDoS Defender supports a mitigation method that triggers a shell script upon DDoS attack detection. Xantaro combined the detection technology of Flowmon with the industry-leading SDN controller OpenDaylight to push a mitigation filter onto the switch(es) that detected the attack. When the attack is over, Flowmon notes it and the mitigation is automatically lifted.