From zero to hero. The story of technology startup from national academic network of the Czech Republic to world leader in Netflow/IPFIX. Flowmon is developing artificial inteligence that detects and responds to volumetric attacks. Flowmon DDoS Defender is an example how DDoS protection can be easy, efficient and flexible.

1. DDoS? You shall not pass!
PLNOG 17 KRAKÓW, 26.09.2016
Artur Kane
Technology Evangelist

2. Our beginnings

3. Our beginnings
First 10GE
monitoring board
in academic
environment
2004

4. Functional prototype of HW accelerated
multigigabit (4x1GE, 1x10GE) NetFlow probe
Final recommendation – monitor EU
networks by the Flowmon (NetFlow) probe
2005/6
Our beginnings

5. 600+ customers on 5 continents
100+ employees, HQ in CZ
Rapidly growing - organically
Recognized/awarded
by Gartner and
Deloitte, technology
partnership
Technology leader
in next generation
network, security and
application monitoring
Who we are today

6. Verticals ISP, banking/finance/utilities. From SMB to ENT and GOV customers
600+ customers in 30+ countries

7. Technology leader – 100G

8. Next Generation Network Traffic &
Performance Monitoring (NetFlow/IPFIX)
• Provides visibility – “eyes” into the network traffic
• Saves time and money for network administrators
• Enables quick troubleshooting and ticket resolution
• Delivers a substantial reduction in network
implementation, operation and management costs
Value proposition - visibility

9. Next Generation Network Security -
Behavior Analysis & Anomaly Detection
• Detects and alerts on abnormal behaviors
• Reports anomalies and advanced persistent threats
• Detect intrusions and attacks not visible
by standard signature based tools
Paul E. Proctor,
VP at Gartner:
“NBA is about
higher visibility in
the behavior of
your network to
cover gaps left by
signature based
mechanism.”
Value proposition - security

10. Out of path Detection and Mitigation
of volumetric DoS/DDoS attacks
• Average cost of one minute downtime is $22.000
• Average downtime is 54 minutes per attack
• Protect your business & customers satisfaction
Value proposition – DDoS protection

11. Technology landscape

12. Network Traffic
Monitoring
Network Statistics
Collection & Analysis
Advanced Analysis of
Network Statistics
Flowmon Probes
• Stand-alone passive sources of
network statistics (NetFlow / IPFIX )
Flowmon Collector
• Storing, visualization and analysis of
network statistics
Flowmon Modules
• Anomaly detection, traffic capture,
Application Performance Monitoring,
DDoS attacks detection and mitigation
The solution

13. All-in-one package
• data generation, collection, analytics, reporting, detection capabilities,
troubleshooting on infrastructure, application, database level – as an
all-in-one device
Neat integration
• use the whole potential of your past investments into network/security
instruments
Massive performance
• first 100G NetFlow/IPFIX probes in the world, the most robust NetFlow
collector
Ultimate scalability
• proven in deployments in organizations from 50 to 50 million users
Transparent licensing
• perpetual and subscription licensing per appliance, only limitations is a
performance of the given device
Smashing user-friendliness
• agentless, non-intrusive, easy and quick deployment, intuitive, straight-
forward GUI, great time-to-value
Outstanding cost efficiency
• best price/performance ration in the industry, low operational costs
How are we better?

14. DDoS Defender

15. Average cost of one minute downtime is
$22.000
Average downtime is 54 minutes per attack
Protect your business & customers satisfaction
Facts about DDoS

16. In-line detection and mitigation fits enterprises
• Limited number of uplinks
• L7 attacks coverage
• Reasonable price/performance ratio
ISP/telco/datacenter need out-of-path mitigation
• Focus on covering volumetric attacks
• To many uplinks and throughput
Solution?
Flow-based volumetric DDoS detection combined with out of
path mitigation
Protection strategies

17. DDoS detection and mitigation
• Focused on volumetric attacks
• Uses flow data from any sources (routers, probes, …)
• Predicts traffic volume using baseline/static methods
• Provides attack characteristics and notifications
Multi-tenant environment to protect various customers, network
segments, services, etc.
Universal deployment scenarios
Flowmon DDoS Defender
Standalone
Out-of-band elimination of
DDoS attack
(PBR, BGP)
Scrubbing Center
DDoS Defender overview

18. Uses various types of flow specification used for dynamic
signature of the attack
Provides specific action for traffic corresponding to the attack
characteristics
Flowmon DDoS Defender 3.0 supports following attributes to
create dynamic signature:
• Destination Prefix
• Source Prefix
• IP Protocol
• Destination port
• ICMP type
• ICMP code
BGP Flowspec

19. Detection performed over protected segments
• Segments defined by network subnets
For each segment, a set of baselines is learned from monitored
traffic. The attack is detected if the current traffic exceeds defined
threshold.
Baseline is learned for:
• TCP traffic with specific flags
• UDP traffic
• ICMP traffic
Attack detection

20. Alerting
• E-mail, Syslog, SNMP trap
Routing diversion
• PBR (Policy Based Routing)
• BGP (Border Gateway Protocol),
• BGP Flowspec
• RTBH (Remotely-Triggered Black Hole)
User-defined scripting
Automatic mitigation
• With out-of-band mitigation devices
• With services of Scrubbing center
Response to attack

21. Internet
Service Provider Core
Flow Data Collection
Learning Baselines
Attack
Anomaly Detection
Mitigation
Enforcement
Scrubbing center
Attack path Clean path
Traffic Diversion via
BGP Route Injection
Dynamic Protection
Policy Deployment
incl. Baselines and
attack characteristics
Protected Object 1
e.g. Data Center,
Organization,
Service etc…
Protected Object 2
Out-of-band

22. Internet
Service Provider Core
Flow Data Collection
Learning Baselines
Attack
Anomaly Detection
Mitigation
Enforcement
Protected Object 1
e.g. Data Center,
Organization,
Service etc…
Protected Object 2
Sending specific Route
advertisement via BGP
FlowSpec
Dynamic signature:
Dst IP: 1.1.1.1/32
Dst Port: 135
Protocol IP: 17 (UDP)
Discard
Dropped traffic for
Dst IP: 1.1.1.1/32
Dst Port: 135
Protocol IP: 17 (UDP)
BGP Flowspec

23. Customers

24. Multitenant DDoS protection for ISPs,
DCs, Cloud providers against volumetric
attacks
Fast detection - up to 1 min
SDN compatible
Affordable pricing
Comprehensive solution including NPMD,
NBA, APM and full packet capture
Summary

25. Flowmon DDoS Defender 3.0
Live demo – DDoS mitigation

28. Q&A

29. Flowmon Networks a.s.
U Vodárny 2965/2
616 00 Brno, Czech Republic
www.flowmon.com
Artur Kane
artur.kane@flowmon.com
+420 734 754 449