ControlCircle can offer a fully managed and integrated service for managing against a Distributed Denial of Service DDoS; the solutions are based on two main areas: Monitoring and Filtering.
Monitor Only
There are two levels of standard monitoring offered by ControlCircle within the core: traffic monitoring and application monitoring. By default ControlCircle via the customer portal can provide you with traffic monitoring, which allows you to monitor your bandwidth, and circuit performance to the Internet. Traps and alerts can be configured to warn of a sharp increase of bandwidth which may indicate an attack. For example, greater than 80% utilisation on the inbound will trigger an SNMP alert and an email to the NOC and can also be configured to alert the customer directly if needed.
ControlCircle as standard use SFLOW to monitor the core network with SNORT and report any SNORT matches via the customer portal using EIQ, this gives a basic application monitoring system. This system is a read-only architecture, in that other than report files, no corrective action is taken automatically, it is down to the customer to analyze and take the correct action. The main draw back is SNORT is often plagued with many false positives so you need to know how to interpret the data correctly.
Monitor and Filter
To provide a system that monitors and takes automatic action in the event of an attack, you need to engage an Intrusion detection System (IDS) and Intrusion Provision System (IPS) at the application layer. The reason for listing IDS/IPS here is before a full-blown DDoS is launched, probing is often done to find weaknesses in the application and or servers and so preventing this can also prevent a DDoS from even happening. Once a DDoS attack is underway however, a more intelligent solution is needed to filter what may seem legitimate traffic but is in fact DDoS traffic.
ControlCircle use a hardware appliance that moves beyond IDS/IPS and is designed and geared to deal directly with DDoS. Its approach is to prevent DDoS attacks by using very complex match algorithms which stop all but real user traffic. This system can prevent DDoS attacks up to 1 Gbps, however, as the types of DDoS attacks are vast in scope, you could never guarantee this.
DDoS is therefore a multi-platform solution, you need to have an active monitoring solution that may be the standard ControlCircle offering or where more complex monitoring and local filtering is required then dedicated hardware is needed.