From zero to hero. The story of technology startup from national academic network of the Czech Republic to world leader in Netflow/IPFIX. Flowmon is developing artificial inteligence that detects and responds to volumetric attacks. Flowmon DDoS Defender is an example how DDoS protection can be easy, efficient and flexible.
4. Functional prototype of HW accelerated
multigigabit (4x1GE, 1x10GE) NetFlow probe
Final recommendation – monitor EU
networks by the Flowmon (NetFlow) probe
2005/6
Our beginnings
5. 600+ customers on 5 continents
100+ employees, HQ in CZ
Rapidly growing - organically
Recognized/awarded
by Gartner and
Deloitte, technology
partnership
Technology leader
in next generation
network, security and
application monitoring
Who we are today
8. Next Generation Network Traffic &
Performance Monitoring (NetFlow/IPFIX)
• Provides visibility – “eyes” into the network traffic
• Saves time and money for network administrators
• Enables quick troubleshooting and ticket resolution
• Delivers a substantial reduction in network
implementation, operation and management costs
Value proposition - visibility
9. Next Generation Network Security -
Behavior Analysis & Anomaly Detection
• Detects and alerts on abnormal behaviors
• Reports anomalies and advanced persistent threats
• Detect intrusions and attacks not visible
by standard signature based tools
Paul E. Proctor,
VP at Gartner:
“NBA is about
higher visibility in
the behavior of
your network to
cover gaps left by
signature based
mechanism.”
Value proposition - security
10. Out of path Detection and Mitigation
of volumetric DoS/DDoS attacks
• Average cost of one minute downtime is $22.000
• Average downtime is 54 minutes per attack
• Protect your business & customers satisfaction
Value proposition – DDoS protection
12. Network Traffic
Monitoring
Network Statistics
Collection & Analysis
Advanced Analysis of
Network Statistics
Flowmon Probes
• Stand-alone passive sources of
network statistics (NetFlow / IPFIX )
Flowmon Collector
• Storing, visualization and analysis of
network statistics
Flowmon Modules
• Anomaly detection, traffic capture,
Application Performance Monitoring,
DDoS attacks detection and mitigation
The solution
13. All-in-one package
• data generation, collection, analytics, reporting, detection capabilities,
troubleshooting on infrastructure, application, database level – as an
all-in-one device
Neat integration
• use the whole potential of your past investments into network/security
instruments
Massive performance
• first 100G NetFlow/IPFIX probes in the world, the most robust NetFlow
collector
Ultimate scalability
• proven in deployments in organizations from 50 to 50 million users
Transparent licensing
• perpetual and subscription licensing per appliance, only limitations is a
performance of the given device
Smashing user-friendliness
• agentless, non-intrusive, easy and quick deployment, intuitive, straight-
forward GUI, great time-to-value
Outstanding cost efficiency
• best price/performance ration in the industry, low operational costs
How are we better?
15. Average cost of one minute downtime is
$22.000
Average downtime is 54 minutes per attack
Protect your business & customers satisfaction
Facts about DDoS
16. In-line detection and mitigation fits enterprises
• Limited number of uplinks
• L7 attacks coverage
• Reasonable price/performance ratio
ISP/telco/datacenter need out-of-path mitigation
• Focus on covering volumetric attacks
• To many uplinks and throughput
Solution?
Flow-based volumetric DDoS detection combined with out of
path mitigation
Protection strategies
17. DDoS detection and mitigation
• Focused on volumetric attacks
• Uses flow data from any sources (routers, probes, …)
• Predicts traffic volume using baseline/static methods
• Provides attack characteristics and notifications
Multi-tenant environment to protect various customers, network
segments, services, etc.
Universal deployment scenarios
Flowmon DDoS Defender
Standalone
Out-of-band elimination of
DDoS attack
(PBR, BGP)
Scrubbing Center
DDoS Defender overview
18. Uses various types of flow specification used for dynamic
signature of the attack
Provides specific action for traffic corresponding to the attack
characteristics
Flowmon DDoS Defender 3.0 supports following attributes to
create dynamic signature:
• Destination Prefix
• Source Prefix
• IP Protocol
• Destination port
• ICMP type
• ICMP code
BGP Flowspec
19. Detection performed over protected segments
• Segments defined by network subnets
For each segment, a set of baselines is learned from monitored
traffic. The attack is detected if the current traffic exceeds defined
threshold.
Baseline is learned for:
• TCP traffic with specific flags
• UDP traffic
• ICMP traffic
Attack detection
20. Alerting
• E-mail, Syslog, SNMP trap
Routing diversion
• PBR (Policy Based Routing)
• BGP (Border Gateway Protocol),
• BGP Flowspec
• RTBH (Remotely-Triggered Black Hole)
User-defined scripting
Automatic mitigation
• With out-of-band mitigation devices
• With services of Scrubbing center
Response to attack
21. Internet
Service Provider Core
Flow Data Collection
Learning Baselines
Attack
Anomaly Detection
Mitigation
Enforcement
Scrubbing center
Attack path Clean path
Traffic Diversion via
BGP Route Injection
Dynamic Protection
Policy Deployment
incl. Baselines and
attack characteristics
Protected Object 1
e.g. Data Center,
Organization,
Service etc…
Protected Object 2
Out-of-band
22. Internet
Service Provider Core
Flow Data Collection
Learning Baselines
Attack
Anomaly Detection
Mitigation
Enforcement
Protected Object 1
e.g. Data Center,
Organization,
Service etc…
Protected Object 2
Sending specific Route
advertisement via BGP
FlowSpec
Dynamic signature:
Dst IP: 1.1.1.1/32
Dst Port: 135
Protocol IP: 17 (UDP)
Discard
Dropped traffic for
Dst IP: 1.1.1.1/32
Dst Port: 135
Protocol IP: 17 (UDP)
BGP Flowspec
24. Multitenant DDoS protection for ISPs,
DCs, Cloud providers against volumetric
attacks
Fast detection - up to 1 min
SDN compatible
Affordable pricing
Comprehensive solution including NPMD,
NBA, APM and full packet capture
Summary
29. Flowmon Networks a.s.
U Vodárny 2965/2
616 00 Brno, Czech Republic
www.flowmon.com
Artur Kane
artur.kane@flowmon.com
+420 734 754 449
Notas del editor
Our target customers are organizations with more than 100 computers. We bring values for their IT security and network departments. We provide next generation traffic and performance monitoring based on NetFlow statistics for network engineers which enable them to get full traffic visibility, save time, work more effectively and save money on network operation.
In parallel, we help security guys to detect behavior changes, advanced malware and other network threats. Here is the example from one finance institutions where we detected several workstations infected by botnet. Compromised workstations were part of DDoS attack and were attacking targets in other countries with spoofed China IP addresses.
In parallel, we help security guys to detect behavior changes, advanced malware and other network threats. Here is the example from one finance institutions where we detected several workstations infected by botnet. Compromised workstations were part of DDoS attack and were attacking targets in other countries with spoofed China IP addresses.
In parallel, we help security guys to detect behavior changes, advanced malware and other network threats. Here is the example from one finance institutions where we detected several workstations infected by botnet. Compromised workstations were part of DDoS attack and were attacking targets in other countries with spoofed China IP addresses.