In depth

PacketDam uses a simple but very effective threshold algorithm, which periodically calculates packet, connection and byte rates for every active host. Appropriate measures are taken when the computed averages exceed the baseline defined in the configuration file.

BGP blackholing is the default action; once an attack is detected, an entry containing the victim’s IP address is added to the host system’s routing table. It is then redistributed to a border router by a daemon running on the monitoring system. The border router discards all packets targeting the victim. When the filter timer expires, PacketDam removes the static route and the border router restores Internet access to the victim. Whitelists can easily be implemented with route maps at either end of the BGP session.

PacketDam can also interface with pre-existing filtering mechanisms through its simple XML-RPC API.

Companies connected to several Internet Exchanges have a finer grained control of filtering. By deploying PacketDam instances in the proximity of each Exchange, the victim can be isolated only from the prefixes advertised at that particular entry point, while remaining visible to the rest of the Internet.