Next Previous




PRODUCTS > Flowmon > Flowmon DDoS Defender
Flowmon DDoS Defender - How It Works

How Flowmon DDoS Defender Works 

Image result for 1 blueProtected tenant

The protection starts with a tenant definition, which can be a customer or service, or protected segment that can be defined by a subnet or autonomous system number (ASN). Every protected segment can have its own custom rules that dictate the specific conditions for attack detection and method of mitigation

Image result for 1 blueDetection

The DDoS Defender features different types of baselines for every tenant and different components of traffic. The actual detection thresholds are adaptive, which means they are automatically calculated so that they copy the natural contour of peace traffic without requiring input from the user. Depending on the specific case, manual thresholds can be used as well

Image result for 1 blueAlert & Analysis

When an attack is detected, the system notifies both the user and whichever additional system incorporated into the defense matrix. By drilling down into the attack detail, the user can access additional information, such as the type of attack, timeframe, traffic line, threshold, etc., with the possibility to see minute detail such as which destination IPs are under attack, or the attack origin (e.g. country, subnet, router or interface)

Image result for 1 blueMitigation

The detection of an attack is followed by automatic mitigation. The DDoS Defender uses Policy-Based Routing (PBR), Border Gateway Protocol (BGP) or BGP Flowspec to divert traffic to a variety of supported scrubbing equipment from major vendors. In addition, BGP Flowspec or a Remotely-Triggered Black Hole (RTBH) can be used to mitigate attacks using existing infrastructure only.

Image result for 5 blueMitigation tiering

Mitigation tiering is a smart approach to DDoS defense that maximizes the mitigation capabilities of existing infrastructure. Attacks will be handled locally and only when the in-house mitigation capabilities are exceeded (i.e. a threshold for local mitigation is exceeded), the attack traffic will be diverted to a cloud scrubber.


Detection capabilities

As mentioned above, the system can set up adaptive baselines for each segment, which markedly reduces the number of false positives by eliminating cases where legitimate peak traffic is detected as an attack.

Thresholds are calculated automatically, with no need of manual input from the user, and come in two levels of sensitivity - suspect or attack.

The DDoS Defender also monitors peace traffic during an ongoing attack to determine a much more precise attack signature and provide a more accurate picture of its structure and better insight for mitigation.
Custom detection rules can be set up to very fine detail to tailor the system to the user’s specific circumstances. Subrule templates are available for easier configuration.

Incident reporting and analytics

Attacks are displayed in groups by status. 

An expanded detail shows full information about each attack - complete with status, length and timeline.The user has the option to whitelist a segment to exempt a range of assets from DDoS attack detection. Detailed statistics about the total of pre-attack and attack traffic are available, as is a communication chart of flows passing between the attacker and victim to provide an accurate attack analysis.

Incident response

The DDoS Defender can use a variety of techniques for attack mitigation:
Image result for tick blueBGP (Border Gateway Protocol) - A standard internet routing protocol. It is used for defining re-routing rules on network routers.
Image result for tick blueBGP Flowspec - A  more granular alternative to BGP. Allows more advanced filtering using additional parameters, such as source address, ports, etc. Flowmon DDoS Defender provides a dynamic signature of the attack to routers with BGP Flowspec capabilities, which either redirect the attack, or mitigate only the traffic that corresponds with the signature defined BGP Flowspec rules.
Image result for tick bluePBR (Policy-Based Routing) - Rerouting based on a defined set of policies. An alternative to BGP when prefered by service provider. 
Image result for tick blueAdditionally, RTBH (Remotely Triggered Black Hole) filtering is available as a simple method of attack mitigation. It is used to drop the undesirable attack traffic at the edge of the network based on destination IP addresses. 
The most common scenario is where DDoS Defender is deployed in tandem with an out-of-band mitigation appliance or scrubbing service. Flowmon carries out the detection and analysis, while the 3rd-party solution deals with the attack itself based on data from Flowmon.


The system is multitenant, where each tenant has different detection and mitigation presets and reporting. Individual tenants are defined via segments and allow segment grouping, different access rights for each tenant or group, and each tenant has access to their own data.




SecureOne is a partner centric technology distributor that specialize in secure IT networking solutions, services and support. Principals and resellers partnering with us for proven expertise, enablement resources and overall business execution. We are a preferred distribution partner for many of today's leading and emerging networking and security products including SOPHOS, Cyberoam, Kemp, Paessler, Acunetix, Parallels, IP-guard, Altaro, AISHU, SonicWall, Mushroom Network, Info Express & etc.

Copyright © SecureOne Distribution Sdn Bhd. All Rights Reserved