Introduction
DDoS-Protection flowAnalyzer
flowAnalyzers analyzes network continously, controls activation of DDoS-Protection as well as generation of statistics.
Flow Analysis
With sflow, flowanalyzer receives network flows from routers, temporarily storing these in-memory and calculating the same against bandwidth and detection profiles, including flowrules. When an attack is detected, BGP routes are sent to involved routers, redirecting traffic onto flowShield.
Port-Mirror
In Port-Mirror mode, flowAnalyzer analyzes incoming network traffic by receiving a 1:1 copy of traffic on network ports to connected routers. Analysis happens with XDP based logic, allowing to match against flowTrack recognized sessions, source-packet geo location and traffic rate of specific types.
Time to mitigate is lower than 100 milliseconds, which makes Port-Mirror mode the go-to option for very fast traffic anomaly detection.
Port-Mirror mode is limited to available physical network capacity. If the flowAnalyzer appliance is connected at 4x 100Gbps, the limit of analyzed traffic is 400Gbps. The limit can be enhanced by truncating mirrored packets to a specific size, allowing much more gross network bandwidth than flowAnalyzer has connected capacity, scaling to terabit of analyzed network traffic.