Skip to main content
Version: Next

Installation & Deployment

The NFO DDoS Detection Solution is designed for rapid activation within your existing NFO infrastructure. Because the system utilizes an out-of-band architecture, deployment does not require network downtime or hardware re-cabling.

Prerequisites

Before enabling DDoS detection, ensure your environment meets the following requirements:

  • NFO Server: An active installation of NetFlow Optimizer.
  • Telemetry Sources: Routers, switches, or cloud gateways configured to send Flow data (NetFlow, IPFIX, sFlow, or Cloud Flow Logs) to the NFO Server.
  • Output Destination: A configured SIEM (e.g., Splunk) or a Syslog/JSON receiver to ingest alerts.

Step 1: Request and Upload the DDoS Detector Module

The DDoS Detector is a specialized analytical engine that is provided upon request.

  1. Request the Module: Contact NetFlow Logic Support or your account representative to receive the DDoS Detector module file.
  2. Upload to NFO: Log in to the NFO GUI, navigate to Modules, and use the Upload button in the upper right to add the provided file. Do not unzip the file!
  3. Enable the Module: Once uploaded, locate the DDoS Detector in your modules list and click Enable.
  4. Automatic Operation: No further configuration is required for the engine to begin processing data; however, advanced tuning is available via Module Parameters for specific environment needs.

Step 2: Advanced Tuning (Optional)

The DDoS Detector is pre-optimized to be fully operational within 15 minutes of deployment without manual baselining. For unique or high-scale infrastructures, the module includes a variety of parameters that can be adjusted to refine sensitivity and performance.

  • Expert Guidance: Because these parameters affect the core "Collective Mind" logic, please contact NetFlow Logic Support for assistance in tailoring these settings to your specific network profile.

Step 3: Install the NFO App for Splunk

To visualize attacks and manage confidence scores, install the visualization components in your Splunk environment:

  1. Download the DDoS Detector for Splunk App and the Technology Add-on for NetFlow from Splunkbase.
  2. Install both components on your Splunk Search Head.
  3. Ensure NFO is configured to send data to your Splunk Indexer via the standard NFO output settings.
  4. Open the DDoS Attack Summary dashboard to begin monitoring live events.

Deployment Verification

Verifying a DDoS solution can be unique because, in a healthy environment, the "ideal" state is seeing no alerts.

How to confirm the system is active:

  • Module Status: In the NFO GUI, ensure the DDoS Detector module is marked as Enabled.
  • Traffic Processing: Check the NFO statistics to confirm that flow records are being received and processed. If the flow counters are incrementing, the "Analytical Experts" are actively inspecting your traffic.
  • The "No News is Good News" Reality: If the NFO dashboards in Splunk are empty, it simply means no anomalous behavior matching DDoS patterns has been detected. The system is a "silent guardian"—it only generates output when the Experts identify a legitimate threat.
tip

If you wish to perform a functional test without an actual attack, contact our support team for guidance on using a flow generator to simulate a low-volume anomaly for verification purposes.