Threshold-based DDoS defence is one of the most effective ways to automate blackhole routing for high-volume attacks, without the need for constant manual oversight. In this post, we’ll break down how threshold-based mitigation works, how to configure it in FastNetMon, and how it differs from rate limiting.
Whether you’re an ISP, hosting provider, or enterprise security engineer, understanding how to set a threshold for RTBH (Remote Triggered Black Hole) can dramatically reduce your mitigation time and prevent network disruption.
What is threshold-based DDoS mitigation?
Threshold-based DDoS mitigation automatically triggers a defence action (RTBH or BGP blackhole) when a specific traffic metric exceeds a predefined threshold.
For example, if a single IP starts receiving over 500,000 packets per second (PPS), FastNetMon can immediately signal your router to null-route the target IP, effectively mitigating the attack before it impacts other customers or services. This model of defence is particularly effective for volumetric attacks, where response time is critical and the attack signature is obvious in traffic volume.
You can set thresholds based on:
- Packets per second (PPS)
- Bits per second (BPS)
- Flows per second (FPS)
Threshold-based mitigation vs rate limiting: what’s the difference?
Although both threshold-based mitigation and rate limiting are tools used in DDoS defence, they operate on different principles and serve distinct purposes.
Threshold-based DDoS mitigation is a reactive mechanism. It involves continuously monitoring traffic levels—such as packets per second, bits per second, or flows per second, and taking action only when those levels exceed a predefined threshold. When triggered, this action is typically drastic and immediate, such as activating BGP blackhole routing to null-route the target IP address. This form of mitigation is particularly useful for defending against large-scale volumetric attacks, where the goal is to absorb or isolate the attack traffic as quickly as possible to prevent it from overwhelming the network.
On the other hand, rate limiting is a proactive control mechanism that intentionally restricts the rate of incoming or outgoing traffic, regardless of whether an attack is happening. It enforces a cap on the amount of traffic a host or application can send or receive over a given period. For example, you might configure a firewall or application gateway to allow no more than 100 requests per second to an API endpoint. If that rate is exceeded, excess traffic is either delayed, dropped, or degraded. This is useful for managing legitimate but excessive usage, such as limiting bursts of traffic from a single user or bot, or ensuring fair resource distribution among tenants.
The key distinction lies in their purpose and execution. Threshold-based mitigation is designed to detect and respond to abnormal or malicious spikes in traffic volume, usually with automated actions that isolate the affected IP or segment. It’s a line of defence used when things go wrong. Rate limiting, on the other hand, is more about ongoing traffic control, not attack detection. It shapes traffic flows by keeping usage within acceptable bounds to ensure stability and fairness under normal conditions.
Importantly, these two methods are not interchangeable. Rate limiting does not offer the kind of decisive action required during high-throughput DDoS attacks. And while threshold-based mitigation can quickly shut down a targeted attack, it’s not suitable for general traffic management or abuse prevention in non-attack scenarios.
In practice, many robust DDoS protection strategies use both. Rate limiting ensures baseline service quality and prevents abuse, while threshold-based detection and blackholing are reserved for acute attack mitigation.
How to set up a threshold on FastNetMon?
FastNetMon Advanced supports per-host threshold configuration, which gives you flexibility to apply different thresholds to different IPs or networks. Once a threshold is exceeded, FastNetMon will trigger a predefined mitigation step, such as announcing a BGP blackhole route.
Step 1: Enable BGP Blackhole Support
Start by configuring a BGP session between FastNetMon and your router or route reflector. This is required for FastNetMon to announce blackhole routes when thresholds are exceeded.
Step 2: Configure Global Thresholds (Optional)
You can set system-wide default thresholds that apply to all IPs. First, enable threshold tracking, then set a default PPS value, i.e. 500,000 packets per second. These values can be overridden later on a per-IP basis.
Step 3: Enable Per-Host Thresholds
To define specific limits for individual IP addresses, turn on per-host thresholding. Once enabled, you can set a custom PPS and BPS value for any IP. For instance, you might set one host to trigger at 250,000 packets per second or 1 Gbps.
Step 4: Define the Mitigation Action
Once a host crosses its threshold, FastNetMon needs to know how to respond. Here, you define the BGP community tag that your router uses to recognise a blackhole route – commonly something like 65535:666.
Step 5: Monitor Triggered Events
FastNetMon logs every threshold breach and mitigation event. You can monitor these logs directly or plug them into your existing alerting setup using tools like Syslog, Kafka, or webhooks.
What else can you do with threshold-based defence?
Once you’ve got the basics of setting thresholds down, there are a few extra options that can really help you fine-tune your DDoS protection, especially if you’re dealing with more complex setups or bigger networks.
1. Group hosts together and set limits for the whole group
Instead of managing thresholds for every single IP, you can lump IPs or subnets into groups – say, all the servers in a data centre or all the customers in a particular region – and set a threshold for the whole bunch. If traffic to that group goes over the limit, the system can trigger a defence action. It’s a lot easier to manage when you have lots of addresses.
2. Watch incoming and outgoing traffic separately
Most people think about attacks coming in, but don’t forget traffic leaving your network. If a machine inside your network gets compromised and starts blasting out traffic, having separate limits for outgoing traffic helps catch that early.
3. Get more specific with what you watch
Instead of just counting packets or bits, you can set thresholds based on things like protocol type, ports, or packet details. That way, you can catch specific attack types, like DNS floods or SYN floods, without accidentally triggering on normal traffic.
4. Find out what “normal” looks like first
If you’re not sure what numbers to pick for your thresholds, spend some time measuring your usual traffic patterns. That way, you can set your limits just above what’s typical for your network, which helps avoid false alarms.
5. Have a backup plan when the attack keeps going
Sometimes blocking a single IP isn’t enough, especially if the attacker switches targets or uses many IPs. Some setups let you create an escalation path: if the traffic keeps spiking, you can block a whole subnet or a larger group of addresses to keep things under control.
You don’t need to use all these tricks right away. But as your network grows or your threat landscape changes, they give you ways to stay one step ahead, and avoid getting overwhelmed by noisy or sophisticated attacks. The better you understand your traffic, the easier it gets to tune your defence to fit your real-world needs.
For a full walkthrough and configuration examples, visit the documentation:
FastNetMon: Per-Host Threshold Configuration
Need more?
Explore our guides:
- FastNetMon: Per-Host Threshold Setup – https://fastnetmon.com/docs-fnm-advanced/fastnetmon-advanced-per-host-threshold-configuration/
- BGP Blackhole Configuration Guide – https://fastnetmon.com/docs-fnm-advanced/fastnetmon-advanced-blackhole/
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com