Flow-based DDoS monitoring is accomplished by edge routers on the protected network. The routers feed netflow data to an off-site Security Operations Center where it is used by DDoS detection experts to build an understanding of a site’s normal pattern of network traffic. With such an understanding, DDoS monitoring staff can immediately recognize significant deviations from the norm, promptly analyze the anomaly, and alert on the detection of a DDoS attack.
Flow-based DDoS monitoring tools identify volumetric network-layer DDoS attacks, such as SYN floods, UDP floods and ICMP floods. The tools are non-intrusive to minimize any potential effect on service performance.