Skip to main content
Version: Next

Installation & Deployment

The NFO DDoS Detection Solution is designed for rapid activation within your existing NFO infrastructure. Because the system utilizes an out-of-band architecture, deployment does not require network downtime or hardware re-cabling.

Prerequisites

Before enabling DDoS detection, ensure your environment meets the following requirements:

  • NFO Server: An active installation of NetFlow Optimizer
  • Telemetry Sources: Routers, switches, or cloud gateways configured to send flow data (NetFlow, IPFIX, sFlow, or Cloud Flow Logs) to the NFO server
  • Output Destination: A configured SIEM or Syslog/JSON receiver to ingest DDoS alerts from NFO

Step 1: Request and upload the DDoS Detector Module

The DDoS Detector is a specialized analytical engine provided upon request and uploaded to NFO separately -- it is not included in the standard build.

  1. Request the module — contact NetFlow Logic Support or your account representative to receive the DDoS Detector module file
  2. Upload to NFO — log in to the NFO GUI, navigate to Modules, and use the Upload button in the upper right to add the provided file. Do not unzip the file
  3. Enable the module — once uploaded, locate the DDoS Detector in the modules list and click Enable
  4. Automatic operation — no further configuration is required for the engine to begin processing data

Step 2: Advanced tuning (optional)

The DDoS Detector is pre-optimized to be fully operational within 15 minutes of deployment without manual baselining. For unique or high-scale infrastructures, the module includes parameters that can be adjusted to refine sensitivity and performance.

Because these parameters affect the core Collective Mind logic, contact NetFlow Logic Support for assistance in tailoring settings to your specific network profile.

Step 3: Configure an output destination

Once the module is enabled, configure NFO to forward DDoS alerts to your destination of choice. Syslog (UDP/TCP) and JSON are both supported. See Data Outputs for configuration details.

Deployment Verification

Verifying a DDoS solution is unique because in a healthy environment the expected state is seeing no alerts.

To confirm the system is active:

  • Module status — in the NFO GUI, confirm the DDoS Detector module is marked as Enabled
  • Traffic processing — check NFO statistics to confirm that flow records are being received and processed. If flow counters are incrementing, the Analytical Experts are actively inspecting traffic
  • No alerts means no threats detected — if your output destination is not receiving DDoS events, it means no anomalous behavior matching DDoS patterns has been detected. The system only generates output when the Experts identify a legitimate threat
Visualizing DDoS events

NFO can forward DDoS alerts to any supported destination via Syslog or JSON. Purpose-built visualization and alerting is currently available for Splunk via the DDoS Detector App -- see DDoS Detector App for Splunk for installation and dashboard documentation.