Fast flow-based DDoS protection for high-speed networks

Challenge

Rising trend of popularity of DoS/DDoS attacks is indicated by all major security reports. Ponemon Institute’s Cyber Security on the Offense:A Study of IT Security Experts estimates that an average cost of a single minute of downtime is $22.000 when an average downtime is 54 minutes. According to Q2/2016 State of the Internet – Security Report, Infrastructure layer DDoS attacks increased by 151% compared to Q2/2015. Attacks with magnitude over 100Gbps are no exception while the largest attack peaked at hundreds Gbps. Volumetric DDoS attacks remain the nightmare of ISP world. The attack landscape is changing every day, and attackers are deploying new techniques to increase the magnitude of attacks and make them more difficult to mitigate. Protection of high-speed networks and successful mitigation of DDoS attacks is one of the key challenges for internet service providers and backbone operators. Allowing the attack to reach its target means that the attacker was successful and there are no more options left to clean the internet pipe.

Network visibility and attack detection

Flowmon Networks empowers businesses to manage and secure their computer networks confidently. Through our high performance network monitoring technology and lean-forward behavior analytics, IT professionals worldwide benefit from absolute network traffic visibility to enhance network & application performance and deal with modern cyber threats. Driven by a passion for technology, Flowmon Networks leads the way of NetFlow/IPFIX network monitoring that is high performing, scalable and easy to use. The world’s largest businesses, internet service providers, government entities or even small and midsize companies rely on Flowmon to take control over their networks, keep order and overcome uncertainty. With Flowmon solution recognized by Gartner, recommended by Cisco, Check Point and IBM, Flowmon Networks is one of the fastest growing companies in the industry.

Flowmon provides following components for advanced DDoS protection:

  • Flowmon Collector – aggregation and storage of flow data in all major industrial formats from an unlimited number of sources. The traffic is profiled in 30s batches to reduce attack detection time (MTTR). In addition, collector provides full featured tools to report and analyse network and application traffic.
  • Flowmon DDoS Defender – scalable multi-tenant DDoS detection module for Flowmon Collector using dynamic baselines and adaptive thresholds to detect various types of volumetric attacks and bandwidth consumption.
  • Flowmon Probe – optional export of NetFlow/IPFIX data for infrastructures without flow-enabled network equipment.

Flowmon Collector equipped with DDoS Defender module observes and profiles volumetric characteristics of network traffic to create and maintain dynamic baselines. In case of unexpected increase of network traffic it triggers configurable actions that include alerting (e-mail, syslog, SNMP trap), traffic diversion (policy based routing, border gateway protocol, remotely triggered black hole), execution of script or mitigation through specific out-of-band DDoS mitigation system. Flowmon DDoS Defender enables to define protected segments – individual detection profiles corresponding to IP ranges, subnets or network services. In case that DDoS attack is detected all the attack characteristics including top source 10 IP addresses, subnets, autonomy systems and countries, L4 protocols and interfaces are part of the attack details.

Attack mitigation

F5 helps organizations seamlessly scale cloud, data center, and software-defined networking deployments to successfully deliver applications to anyone, anywhere, at any time.
BIG-IP Advanced Firewall Manager protects the network against incoming threats, even the most massive and complex DDoS attacks. With deep threat intelligence services and flexible mitigation options, BIG-IP Advanced Firewall Manager defends against threats to network layers 3–4, stopping them before they reach your data center.
Specifically, BIG-IP AFM scales to shut down high-capacity DDoS attacks that can overwhelm load balancers, firewalls, and even networks. It automatically invokes mitigation, alerts security admins, and configures or adjusts DDoS thresholds as traffic patterns change and without affecting legitimate traffic.

Joint Solution

Network visibility, traffic analysis and attack detection together with attack mitigation capability is essential when fighting DDoS attacks in backbones as close to attack source as possible. Leveraging network traffic statistics from routers or dedicated network probes enables to detect attacks and understand their characteristics to start successful mitigation.
Once the attack is detected using flow data, network traffic needs to be diverted to specific out-of-band DDoS mitigation appliance that is able to create a dynamic attack signature and scrub the attack while enable the legitimate traffic to continue unaffected. And here comes to play F5 with BIG-IP appliance, which performs DDoS mitigation for diverted traffic. The described procedure is complex attack detection and mitigation ecosystem focused on volumetric attacks that includes seamless cooperation of multivendor solution.

Flowmon DDoS Defender takes advantage of stream processing of flow data which enables to profile traffic with 30s granularity. It allows to detect DDoS attack in sub 60s timeframe which is on the edge of flow-based detection.
Compared to in-line deployment of attack mitigation appliances this approach provides higher scalability and significant cost efficiency especially for large networks with multiple peering partners and bandwidth of tens of gigabits per second. In-line deployment of DDoS mitigation appliances is irreplaceable for the protection of so called last mile to detect sophisticated attacks focused on application layer that do not expose themselves in high volume of network traffic.
Joint multi-layered DDoS protection by F5 and Flowmon Networks benefits from combined approach. Out-of-band mitigation for volumetric attacks with in-line deployments is the most efficient method how to protect network infrastructure from DDoS attacks and ensure high quality and availability of network services.

For more information

For more information, please contact your F5 or Flowmon Networks partner.