For an ISP, DDoS attacks can be hugely damaging. A large volumetric attack can disrupt customer-facing services, harming an ISP’s business model, damaging the customer experience, and potentially costing the business heavily in SLAs.
In 2017, an Indian ISP contacted Anurag Bhatia, a Network Researcher based in Haryana, India, after experiencing several DDoS attacks. The ISP had been the victim of several large volumetric DDoS attacks and needed Anurag’s help to implement a solution.
Large Volumetric Attacks Saturate ISP’s Upstream Bandwidth
The attacks had been much higher in volume than the ISP’s available bandwidth and had also saturated its upstream bandwidth. This created an additional challenge, as an attack of this scale can’t be mitigated by an on-site device and must instead be dealt with upstream.
To combat similar attacks in the future, Anurag suggested the ISP request a BGP blackholing service from its upstream provider and manually blackhole traffic when an attack occurs. This solution would allow the ISP to signal to its upstream provider when an attack occurred, providing details of which IP address pools were under attack. The provider would then either drop traffic to these IPs directly or relay the same information to a larger network in their upstream, which would drop the traffic from all edge routers, i.e., as close as possible to the entry point of the attack.
When a blackhole is activated, all incoming and outgoing traffic to specified IP pools is dropped without responding to the sender to inform them their data did not reach its intended target.
The ISP adopted this solution and manually switched on blackholing each time an attack occurred. While this solution effectively mitigated large DDoS attacks, the process was labour-intensive. It required the ISP’s network engineers to manually identify which IP pools were under attack and activate the blackhole.
Instead, the ISP needed a solution that would automatically identify DDoS attacks—including which IP pools were targeted—and immediately apply the appropriate blackhole rules.
The Solution: Fast, Accurate Detection with FastNetMon
FastNetMon is one of the fastest DDoS detection tools on the market, able to detect even the most advanced multi-vector attacks within seconds. Crucially, FastNetMon gives network administrators full control over the mitigation process, allowing them to design, configure, monitor, and manage DDoS defences that suit their organisation’s needs, budget, and network hardware.
Having discovered FastNetMon through an NLNOG presentation by Job Snijders, Principal Engineer at Fastly, Anurag recommended it to the ISP. The solution supports a broad range of capture engines, including port mirroring, NetFlow, sFLOW, IPFIX, which feed it information about incoming traffic. It can detect incoming DDoS attacks quickly based on increases in bandwidth usage, packet per second (Pps) count, and flow count. It also enables network engineers to alter each parameter based on past attack profiles.
Most importantly, FastNetMon can be configured to automatically signal routers to drop malicious traffic and export BGP policies to any upstream provider’s blackhole community. This ensures the remediation process is robust against even large volumetric attacks that saturate a targeted organisation’s upstream bandwidth. Network engineers can define how long an IP remains blocked and automate the unblocking process after a defined period.
Combined, these features made FastNetMon an ideal solution for the ISP. It would allow them to automate the DDoS detection and blackholing process, reducing manual effort and minimising time to mitigation for new attacks. Seeing this, the ISP engaged Anurag to support the setup process.
Detecting DDoS Attacks in 2-3 Seconds
Initially, the ISP tried using NetFlow with a Mikrotik CCR router to feed FastNetMon traffic data. However, this led to a delay in detecting new attacks of almost two minutes. This was not an ideal solution, as it exposed the ISP and its upstream provider to large attacks for nearly two minutes.
Instead, they opted to use port mirroring with a Cisco switch which dropped all transit packets and tagged them with specified VLANs. The switch then mirrored these VLANs to FastNetMon, providing traffic data more quickly and enabling the solution to detect new attacks within 2-3 seconds.
While FastNetMon supports DDoS detection from multiple indicators, the ISP opted to set detection rules based exclusively on bandwidth limits for incoming traffic. This matched the profile of the large volumetric attacks it had experienced.
Mitigating DDoS Attacks with BGP Blackholing
Once an attack was detected, the next step was to apply the correct mitigation rules. Again, there were several options available to complete this process. For instance, the ISP could have used standard BGP-based signalling—FastNetMon would simply maintain a BGP session with a router and inform it whenever an IP came under attack. This solution would work as standard, as all of the ISP’s routers supported BGP.
Instead, the ISP opted to use a dedicated plugin for Mikrotik devices developed by Maximiliano Dobladez from MKE Solutions. The plugin uses a PHP-based API to alter rules on the router. The ISP selected this mitigation option because the plugin included a feature that would add a comment to blackhole route announcements, allowing for clearer communication with upstream providers.
With this in place, the ISP had a complete DDoS detection and mitigation solution that could automatically identify and mitigate DDoS attacks within seconds—eliminating manual burden for the network team and reducing the lag between the start of a new attack and mitigation.
Recovering From an Attack
The final component of this DDoS mitigation strategy is removing blackhole rules once an attack has finished. While blackholing is extremely useful, it can’t be left on indefinitely—affected IPs must eventually be restored to regular use.
To achieve this safely, FastNetMon allows network administrators to periodically check whether an attack has ended after a specified time. The process is simple. Once the specified time—e.g., five minutes—has passed, FastNetMon disables blackhole rules. If the solution detects the attack is still ongoing, it reinstates the blackhole and announces it to upstream providers, mitigating the attack.
This way, the ISP is only exposed to the attack for a very short period (around 7-8 seconds) before re-establishing blackhole mitigation. Once an attack has ended, FastNetMon will no longer reinstate blackhole rules, restoring the network to normal functionality.
Protect Your Organisation with FastNetMon
FastNetMon is one of the market’s fastest DDoS detection and mitigation solutions. Designed to be the brains of a best-of-breed DDoS mitigation strategy, it can uncover even the most complex, multi-vector attacks in a few seconds. Our solution integrates seamlessly with all your network hardware, mitigation controls, and analytics.
Built by network people for network people, FastNetMon puts control firmly in the hands of network administrators, giving them the power to design, configure, monitor, and manage their network operations (including DDoS mitigation) to suit your organisation’s needs, budget, and topology.
Want to keep your network safe? Try FastNetMon FREE for one month.