Understanding IPFIX, IE 315 & SPM: Complementary Telemetry for Modern Networks
·2984 words·15 mins
IPFIX vs. IE315/SPM: Flow Telemetry Architectures for DDoS Detection # 1. Framing: What DDoS Detection Demands from Telemetry # The Traditional Paradigm: Splitting the Defense # Traditionally, DDoS defense was a game of architectural division. Network operators split attacks into two categories based on how they were most efficiently managed: volumetric floods and application-layer exploits. For Layer 3 and 4 volumetric floods (like UDP amplification / reflection blasts), the primary goal was protecting core bandwidth. Every day the core performance is handicapped by a perpetual barrage of short-term, high frequency attack traffic. The collective effect of these attacks are significant, and can be difficult to effectively/efficiently count. On a particularly bad day, a large flood carried into the core will actually overwhelm interface links between routers. For enterprise this translates to lost availability, while for service providers this could break tier one services like DNS, or simply impact customer experience.
Consequently, these attacks were detected and policed at the outermost network edge. Operators monitored basic NetFlow metadata from edge routers to spot massive packet-per-second spikes, then utilized high-throughput ACLs or BGP routing redirections to drop or scrub the raw volume before it could enter the core network. Conversely, Layer 7 application attacks required an entirely different philosophy. Because these threats mimic legitimate user traffic (like malicious HTTP GET floods), standard edge routers could not see them. Efficiency demanded moving the defense inline, right at the point of convergence closest to the target application. This allowed an inline Web Application Firewall (WAF) or local application proxy to step in. Because it sat directly in the traffic path, the WAF possessed the cryptographic and processing capacity to decrypt TLS traffic, inspect deep packet headers, analyze cookies, and issue JavaScript challenges to weed out bots from human users.