The increased severity and sophistication of DDoS attacks means that network security administrators need a collection of tools to mitigate risk. One effective option to reduce malicious traffic is the use of a cloud-based DDoS scrubbing service.
But under the pay-as-you-use cloud resource billing model, DDoS scrubbing can be extremely expensive. Your line of business systems may be better protected – but you still face a large bill for managing and mitigating an attack.
How do you scrub?
There are two general approaches to DDoS scrubbing which are defined by how a business manages incoming network traffic.
The first option is to route all incoming traffic via a scrubbing center, so that any DDoS attack is detected and blocked automatically. Although extremely effective, this approach is also extremely expensive, placing it well outside the budget of all but the largest enterprises.
The second option is to maintain a DDoS detection system at the perimeter. When an attack is identified, malicious traffic is diverted to a remote service for scrubbing, helping to maintain satisfactory network conditions for legitimate users. This tends to be more affordable because the scrubbing system is only engaged as required – which is why most organizations choose this approach.
The challenges of on-demand DDoS scrubbing
On-demand DDoS scrubbing has two significant concerns – traffic identification and speed of response.
Filtering the right traffic
Because you are being billed for the traffic to be scrubbed, you need to be sure that you are only diverting the most suspicious activities. Yes, you want to ensure that ‘bad’ traffic is kept away from your assets, but you also want to limit the amount of legitimate traffic that is sent to the scrubber so that you can better contain the cost of the attack.
Rapid DDoS response
At the same time, you need to be sure that your detection system is capable of spotting and re-routing malicious traffic very quickly. The faster you can react, the smaller the impact on your network load.
How can FastNetMon help?
FastNetMon is a vendor-neutral tool that works with all existing network equipment vendors, DDoS Mitigation systems, and scrubbing centers. It is easy to set up on your network and requires minimal configuration. The system combines DDoS detection and mitigation capabilities with scrubbing center automation for enhanced protection.
As a vendor neutral solution, FastNetMon supports a variety of methods to redirect attack traffic to external scrubbing centers for scrubbing, including:
- BGP Unicast protocol to trigger traffic redirection to Cloud based scrubbing centers
- BGP Flow Spec protocol, RFC 5575 to trigger traffic diversion to in house deployment of cloud scrubbing center
- Provider specific API based integrations
- Custom integration which uses callback script in any programming language, in this case FastNetMon supplies all needed information about detected attack in JSON format and script implementer decides what to do
As exampled of provider specific API based integration we offer we feature following providers:
So where do the cost savings come from?
First, FastNetMon fits neatly into your cloud-based DDoS scrubbing strategy. Reliable and responsive, you benefit from:
- Automatic and near-instantaneous attack detection with zero human interaction.
- Faster, automated redirection of attack traffic to the scrubbing centre.
- Mitigating malicious traffic with a customizable, rule-based configuration for automated blocking
- Reducing the latency between your network and scrubbing centers
- Reducing network security costs, freeing up resources to pay for scrubbing center costs
- Eliminating inefficiencies present in conventional BGP redirection techniques.
Using FastNetMon and cloud-based DDoS scrubbing, attack traffic is filtered on arrival – removing unwanted traffic from your network and reducing attack detection latency.
This minimizes the negative impact an attack can have on your network performance and reduces associated costs. Legitimate traffic can also be returned to you after it has been filtered and cleaned.
How does FastNetMon deliver these benefits?
Traditional BGP traffic diversion can suffer from delays during a DDoS attack, mainly because it has to announce propagation across the network components. FastNetMon eliminates this delay by automating and accelerating your response to the attack and minimizing its effects.
FastNetMon can automatically switch a network of any size, redirecting traffic to DDoS scrubbing centers. The most popular and recommended redirection method is to switch network traffic by advertising a /24 IP block to the scrubbing center but keep the parent prefix for this /24 block with your normal ISP.
Because of BGP protocol selection logic, every network across the planet will select this identified path over /24 to the scrubbing center instead of following the normal route. Note that IPv6 network boundaries might be different. In this case, you can set up the length of the covering network size using FastNetMon for specific /48 announcements.
FastNetMon has complete support for BGP unicast protocol and includes our own BGP daemon. After detecting the attack, FastNetMon will automatically determine which network contains that host. Based on that information, FastNetMon triggers an BGP announcement and redirects the affected host’s traffic to a scrubbing center. In turn, the scrubbing center should start scrubbing malicious traffic as soon as it receives the announcement.
FastNetMon can also run a script or send the announcement to your own network routers. This will remove the affected host with the attacked prefix on your network and send malicious traffic from your network to the scrubbing center.
Automated attack detection and traffic redirection coupled with lightning-fast response times make FastNetMon an important tool in your cybersecurity defenses. And thanks to its exceptional detection capabilities, FastNetMon can reduce cloud resource demand – and costs.
Ready to learn more? Try FastNetMon free for a month.