In August 2015, we launched Vscale, a new service that offers low-cost virtual servers specially designed for developers. There was the risk that inexpensive, custom virtual machines may attract clients planning to organize various virtual attacks over the Internet. That is why we decided to create a mechanism for the fast identifying and preventing such incidents and determining which of our clients were under attack.
These issues were initially resolved visually using graphs of our channel loads and the results of a netflow analysis. With netflow, traffic is processed with a 2 minute delay (30 seconds for flow timeout on routers and 1 minute between launching traffic analysis scripts on the collector).
That is why for real-time traffic monitoring, we began to use sFlow. It reacts much faster to network anomalies and sampling is not essential when using data to determine an attack. Moreover, sFlow lets you retrieve information about traffic directly from the connecting ports of the end host.
To analyze traffic, we decided on DPS from Terabit Security. When it proved its effectiveness in identifying anomalies in network activity, we wanted to scale this solution to our other services (like Cloud Servers, Cloud Storage, Dedicated Servers, etc.). The DPS’s author quickly and professionally made the necessary updates for this.