nanog mailing list archives

RE: FastNetMon Usage in the wild

From: Adam Thompson <athompson () merlin mb ca>
Date: Tue, 10 Oct 2023 18:50:27 +0000

We use Arbor’s Sightline in an SFlow + Flowspec topology.  It… works.  It needs a lot of tuning.  It’s moderately 
expensive to deploy in this topology, unlike in-band which is holy-cow-expensive at our speeds.  If you want 
historical/forensic data, you need to buy a moderately-expensive hardware server (they don’t let you virtualize it) for 
their Insight module.  Arbor’s tech support is Quite Good Indeed, and their SE team is FANTASTIC.  Sales, however, not 
so much.  We don’t feel Sightline is doing all that much for us, but we also aren’t able to put the required amount of 
daily care and feeding into it that it needs, so YMMV.

My overall impression is that all the on-prem anti-DDOS products out there do the same thing, and work much the same 
way – thresholds, hopefully with auto-baselining.  The differentiating factors IMHO are whether the auto-baselining can 
take time-of-day, day-of-week, and month into account (e.g. business day, K-12 school year, etc.); we believe 
Sightline’s auto-baselining doesn’t do a great job here.  Beyond that, any product that uses an evolving statistical 
model (probably branded as “AI”, sigh) will have a slightly better chance of improving the successful hit ratio.

I’m not aware of any anti-DDoS products at ISP scale that aren’t SFlow + Flowspec, possibly including “scrubbing” 
(diverter box); having said that, I do know one of my upstreams has a large Sightline h/w appliance of some sort, I 
don’t know if it’s an in-band appliance, or a “scrubber”-on-a-stick, but it’s too expensive for them to upgrade and 
they’re apparently dropping it instead… once we stop telling them quite so loudly to NOT get rid of it , I guess??

AFAIK, FastNetMon is basically the same thing as Sightline, with a less-polished UI. (read: doesn’t make mgmt. as happy 
to look at it) and you need some external support bits to do the Flowspec.

-Adam

Adam Thompson
Consultant, Infrastructure Services
[cid:image001.png@01D9FB80.2D14BDE0]
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
https://www.merlin.mb.ca<https://www.merlin.mb.ca/>
[cid:image002.png@01D9FB80.2D14BDE0]Chat with me on Teams<https://teams.microsoft.com/l/chat/0/0?users=athompson () 
merlin mb ca>


From: NANOG <nanog-bounces+athompson=merlin.mb.ca () nanog org> On Behalf Of Javier Gutierrez
Sent: Friday, October 6, 2023 5:20 PM
To: nanog () nanog org
Subject: FastNetMon Usage in the wild

Hi,
I wanted to drop a quick question as I would like to evaluate the FastNetMon solution to do DDoS protection and wanted 
to see what other companies are using it out there so I can have a base of how much should I recommend this.

Thanks in advance for your responses


Kind regards,


Javier Gutierrez,

Current thread:

FastNetMon Usage in the wild Javier Gutierrez (Oct 07)
- RE: FastNetMon Usage in the wild Adam Thompson (Oct 10)
  - Re: FastNetMon Usage in the wild Dobbins, Roland via NANOG (Oct 10)
    - Re: FastNetMon Usage in the wild Mark Tinka (Oct 10)
    - Re: FastNetMon Usage in the wild Adam Thompson (Oct 18)
    - Re: FastNetMon Usage in the wild Mirai Azayaka (Oct 18)
    - Re: FastNetMon Usage in the wild Dobbins, Roland via NANOG (Oct 18)