Complex DDoS protection with native NPMD features

Challenge

• High service quality standards
• Fully automated and cost-efficient DDoS protection
• Lack of detailed visibility into network traffic

Solution

The first part of the deployment was a Flowmon Collector VA. Its purpose is to collect, receive, and store sampled flow data from tens of flow sources. The collector capacity was optimized for storing months of unaggregated flow data history.

Once the collector was deployed, AFR-IX Telecom gained detailed visibility into their network traffic and a perfect overview of what was happening in the system at any given time.

Armen Durgaryan, Network Engineer at AFR-IX Telecom, sums up the NPMD features after six months of hands-on experience: “Compared to the previously used SNMP and basic flow-based monitoring solutions, it is now much easier for us to visualize the traffic and get instant insight whenever we receive complaints or system alerts on service degradations. What is more, we always have hard evidence of the traffic legitimacy and it’s also easier to find the root cause of the degradation.”

The next vital part of the deployment is the Flowmon DDoS Defender module, installed on the collector. Its task is to monitor the traffic and raise alerts according to baselines that are dynamically adjusted for each protected segment individually. AFR-IX Telecom chose to define the protected segments by the number of AS (Autonomous Systems) as their customers are local ISPs with their own AS. This approach is flexible and makes the system resistant to changes in the ISPs’ subnets.

In case of an unexpected traffic increase in any network segment, DDoS Defender immediately reports an ongoing DDoS attack. AFR-IX Telecom opted to configure the solution to automatically redirect an attack lasting more than two minutes to a mitigation device, which is F5 BIGIP AFM, deployed out-of-path. Thanks to the seamless integration of Flowmon and F5, DDoS Defender can configure the BIG-IP AFM device automatically, which makes it possible to redirect the harmful traffic instantly and without human intervention.

Finally, the BGP Flowspec feature can send commands to routers according to a dynamic signature of an attack, for example, it can instruct routers to redirect or drop the traffic that corresponds to the signature.

The described solution architecture means that AFR-IX Telecom can react flexibly to network threats and offer effective, tailored mitigation strategies to their customers.

Result

• Near real-time DDoS attacks detection
• Out-of-path mitigation via F5 BIG-IP
• Comprehensive solution covering DDoS Protection and Network Performance Monitoring
• Ease of use, professional maintenance and support