Introduction

flowAnalyzer analyzes network traffic continously, detecting anomalies qualifying as ddos attack. This includes both attacks directed on single hosts as well as prefixes. It offers event based re-configuration as well as streaming telemetry. The software is deployed at the edge of our network or customer environments, usually as n+x fault tolerant architecture.

Flow Analysis

sflow samples being sent continously from routing equipment across the network towards flowAnalyzer nodes. These are being collected and further processed, generating traffic profiles within under one second.

Port-Mirror

Port-Mirror (SPAN) mode allows to copy ingressing packets 1:1 from network devices to flowAnalyzer nodes. Usually, truncating is enabled on the said network devices, reducing the sampled packet size sent to flowAnalyzer.

In the said mode, flowAnalyzer parses received packets, counting them and detecting anomalies from various types of traffic. When an anomaly is detected, the same enters the same processing pipeline as Flow Analysis.

The feature requires sufficient connectivity between sending network devices and flowAnalyzer.

Architecture

A lock-free, highly multi-threaded architecture with batched queue processing and multiple worker routines enables efficient concurrent analysis of received traffic samples. Every hot-path component of flowAnalyzer is built for high computational speed and minimal memory footprint. Features such as streaming telemetry use batched event production to process telemetry events in real-time. Unlike many other solutions, flowAnalyzer can consume dozens of megabits per second of sFlow samples and SPAN traffic (hundreds of millions of packets per second) without excessive processor utilization, memory consumption, or detection latency. Backpressure is handled through bounded queues with graceful degradation under sustained load. flowAnalyzer also features a Prometheus exporter for operational insight.