Introduction
For cloud infrastructure and infrastructure-as-a-service (IaaS) providers handling highly dynamic workloads, network availability is directly tied to customer retention. When volumetric DDoS attacks strike, the immediate consequence is often network congestion that can affect customer services and infrastructure availability.
This was the challenge faced by Indian provider Joy Services. Following the expansion of their cloud platforms into gaming workloads, the network became the target of high-volume DDoS attacks. The attacks saturated network capacity and caused service disruption, highlighting the need for both automated detection and rapid mitigation.
To address this challenge, Joy Services upgraded parts of its network infrastructure to hardware that could handle heavy packet floods without overloading the CPU and deployed FastNetMon Community Edition to detect and mitigate attacks in real time.
This case study is based on discussions with Chander Parkash from Joy Services regarding the company's implementation and use of FastNetMon. We appreciate him for taking the time to share his experience.
About the Customer
Joy Services is an Indian cloud and infrastructure provider established in 2022. The company operates an edge delivery ecosystem that provides cloud infrastructure and hosting services, including VPS, dedicated servers, DNS, storage solutions, content delivery services, cloud gaming infrastructure, cybersecurity services, backup solutions, and database services.
To support this infrastructure, Joy Services runs a highly multi-homed network built on Cisco Nexus switches and Juniper PTX1000 routing hardware. Their edge topology includes a minimum of two upstream transit providers per location and direct peering paths with more than 500 ISPs. For internal visibility and monitoring, the engineering team utilises a mix of both NetFlow and sFlow traffic telemetry across their environments.
The challenge: Volumetric DDoS attacks affecting network availability
In mid-2024, shortly after onboarding a new gaming customer, Joy Services faced its first major DDoS incident: a DNS amplification attack targeting customer infrastructure.
The incident exposed the impact that large-scale DDoS attacks could have on the network.
Network saturation
High-volume attack traffic completely consumed the available capacity of a network link, causing approximately 10 to 15 minutes of downtime during the first incident.
As targeted attacks became more frequent, the lack of automated defence workflows led to operational challenges and customer impact. The engineering team needed a solution that combined specialised hardware forwarding with real-time attack detection and automated mitigation.
Implementation: Decoupling forwarding and automation
The mitigation strategy executed by Joy Services was split into two primary layers: a hardened network edge and the deployment of FastNetMon to orchestrate automated defence.
Hardware-Assisted Edge Protection
To better handle high packets-per-second (PPS) attacks, the team replaced a standard router with specialised Juniper PTX1000 routing hardware alongside Cisco Nexus switches. According to Joy Services, the key advantage of this approach is that ASIC-based packet forwarding does not overload the CPU during high-PPS attack scenarios.
This architectural change helped ensure the network could continue forwarding traffic efficiently even during large attack events.
Telemetry Processing and Real-Time Visibility
With the hardware layer secured, Joy Services deployed FastNetMon Community Edition as its centralised DDoS detection and network visibility platform.
The edge routers and switches stream continuous NetFlow and sFlow data directly into FastNetMon. Network engineers use the platform to gain visibility into traffic patterns, monitor per-host and per-subnet statistics, and identify top-talker IP addresses through Grafana dashboards.
Instead of relying solely on customer reports or downstream monitoring systems, the team gained real-time visibility into anomalous traffic and attack activity across the network.
Automated Mitigation via RTBH
To handle incoming volumetric attacks without manual intervention, Joy Services integrated FastNetMon with an upstream provider that supports Remote Triggered Black Hole (RTBH) mitigation.
Fast Detection: FastNetMon detects incoming DDoS anomalies within approximately 2 to 15 seconds, according to Joy Services.
Upstream Mitigation: When attack thresholds are exceeded, FastNetMon automatically triggers RTBH mitigation through the upstream provider, allowing attack traffic to be dropped before it can continue affecting the targeted destination.
Automated Recovery: RTBH mitigation is applied temporarily for approximately 200 seconds. Once attack traffic subsides, normal routing is restored automatically.
Suppressing outbound DDoS attack vectors
By 2025, the threat landscape expanded to include outgoing DDoS attacks originating from within the cloud environment. Joy Services leveraged FastNetMon's traffic monitoring capabilities to identify and mitigate these outbound attack events.
By monitoring both inbound and outbound traffic, the team gained additional visibility into suspicious traffic patterns and potential security issues affecting customer infrastructure.
If an internal server begins generating abnormal outbound traffic, FastNetMon can help identify the activity and enable rapid mitigation, reducing the operational impact of the incident.
"I would like to recommend FastNetMon. Everyone should deploy this to secure their network and detect both incoming and outgoing attacks. If all ISPs filtered outgoing attacks, then automatically it would reduce DDoS attacks on the entire Internet."
Outcomes and Operational Impact
By combining hardware-accelerated packet forwarding with FastNetMon's automated detection and mitigation capabilities, Joy Services transitioned from a reactive approach to a significantly more resilient operational model.
Following the implementation, Joy Services achieved:
Near-Zero Downtime: DDoS incidents that previously caused service disruption can now be detected and mitigated automatically.
Sub-15 Second Detection and Response: The time required to detect major attack events dropped to a consistent 2-to-15-second window.
Comprehensive Network Visibility: Real-time metrics allow engineers to monitor traffic spikes, track per-host and per-subnet statistics, identify top talkers, and receive instant alert notifications when attacks are detected.
"Today, we experience nearly zero downtime, and FastNetMon has become one of the most important tools in our infrastructure. Its DDoS detection capabilities have provided tremendous help in protecting our network and maintaining service stability."
Why FastNetMon Fits the Environment
For Joy Services, the major advantage was the accessibility and completeness of the toolset available in the Community Edition.
The team was able to build a robust DDoS detection and automated mitigation workflow while also gaining valuable network visibility and monitoring capabilities.
The platform fit well within a network environment that includes multiple upstream providers, extensive peering relationships, and a mixture of network devices, making FastNetMon an important component of Joy Services' operational infrastructure.
