Hi,
I wanted to drop a quick question as I would like to evaluate the FastNetMon solution to do DDoS protection and wanted to see what other companies are using it out there so I can have a base of how much should I recommend this.
Thanks in advance for your responses
We use Arbor’s Sightline in an SFlow + Flowspec topology. It… works. It needs a lot of tuning. It’s moderately expensive to deploy in this topology, unlike in-band which is holy-cow-expensive at our speeds. If you want historical/forensic data, you need to buy a moderately-expensive hardware server (they don’t let you virtualize it) for their Insight module. Arbor’s tech support is Quite Good Indeed, and their SE team is FANTASTIC. Sales, however, not so much. We don’t feel Sightline is doing all that much for us, but we also aren’t able to put the required amount of daily care and feeding into it that it needs, so YMMV.
My overall impression is that all the on-prem anti-DDOS products out there do the same thing, and work much the same way – thresholds, hopefully with auto-baselining. The differentiating factors IMHO are whether the auto-baselining can take time-of-day, day-of-week, and month into account (e.g. business day, K-12 school year, etc.); we believe Sightline’s auto-baselining doesn’t do a great job here. Beyond that, any product that uses an evolving statistical model (probably branded as “AI”, sigh) will have a slightly better chance of improving the successful hit ratio.
I’m not aware of any anti-DDoS products at ISP scale that aren’t SFlow + Flowspec, possibly including “scrubbing” (diverter box); having said that, I do know one of my upstreams has a large Sightline h/w appliance of some sort, I don’t know if it’s an in-band appliance, or a “scrubber”-on-a-stick, but it’s too expensive for them to upgrade and they’re apparently dropping it instead… once we stop telling them quite so loudly to NOT get rid of it , I guess??
AFAIK, FastNetMon is basically the same thing as Sightline, with a less-polished UI. (read: doesn’t make mgmt. as happy to look at it) and you need some external support bits to do the Flowspec.
-Adam
you need to buy a moderately-expensive hardware server (they don’t let you virtualize it)
To clarify, Sightline has supported virtualization for many years, FYI.
I’m not aware of any anti-DDoS products at ISP scale that aren’t SFlow + Flowspec, possibly including “scrubbing” (diverter box);
I don’t know if it’s an in-band appliance, or a “scrubber”-on-a-stick
In addition to flow telemetry, D/RTBH, S/RTBH, and flowspec, Sightline/TMS supports intelligent DDoS mitigation directly in-line or via diversion/reinjection.
[Full disclosure: I am an employee of NETSCOUT.]
It does do, yes. But pricing for the software license is not too far off from if you chose to buy Netscout's own hardware.
Not a major drama for me - I appreciate that competence has to be compensated. What I am saying is that attempts to make it more palatable to more operators are not making too much of a dent.
Mark.
Sorry for the late reply… Sightline Insight is the piece the sales team won’t sell me, and TAC won’t support me, for deployment in our private-cloud environment: it has to be hosted on one of 3 canned server configurations.
I am using Sightline/TMS virtually and it’s fine there.
-Adam
Adam Thompson
Consultant, Infrastructure Services
MERLIN
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
We (AperNet) have an open-source anti-ddos flow monitor called apermon
that provides some interesting capabilities.
Sightline Insight is the piece the sales team won’t sell me, and TAC won’t support me, for deployment in our private-cloud environment
Insight isn’t used for first-order DDoS detection/classification/traceback/mitigation; Sightline/TMS provides those functions.
Insight is a forensics, peering analysis, and traffic-engineering tool.
I am using Sightline/TMS virtually and it’s fine there.
Thanks for the clarification!
[Full disclosure: I am an employee of NETSCOUT.]