FlowControl XND

The XND module uses data from the NetFlow protocol to detect DDoS attacks on specific services performed by a monitored group of hosts, enabling using BGP FlowSpec to block the attacks.

Key features of the module:

  • Detection of DDoS attacks based on flows, with different static and dynamic parameters
  • Use of an efficient algorithm to detect the start and end of a DDoS attack on a specific service
  • Use of the FlowSpec protocol for integration with edge routers to actively defend the organisation against DDoS attacks
  • Detection of multiple types of DDoS attack thanks to advanced mechanism setup options
  • Advanced analysis of attack characteristics with built-in DDoS dashboards

Examples of parameters used by FlowControl XND to detect a DDoS attack:

  • Number of source IP addresses
  • Number of network flows
  • Number of packets
  • Number of bytes
  • PPF (Packets per Flow)
  • BPP (Bytes per Packet).


  • Views are generated without the need for constant data reloading.
  • Processing 250,000 flows per second, retrieved from a network of any architectural complexity.
  • Negligible load on the network and network devices.
  • Scalable mass storage enables to flexibly manage data retention periods.


  • Alerts are generated on meeting pre-defined conditions, e.g. after exceeding the set limit for using a particular port or application traffic volume.
  • An alarm message is sent by email, Syslog or an SNMP trap.


  • Presentation of data relating to the entire network, groups of parameters or individual parameters (port, interface, host, IP) in any time window.
  • Easy top-down access – with just a single click, the drilldown mechanisms enable viewing of data for a specific port, interface or IP number.
  • Searching for data in the system using analysis tools like Google search.
  • Maintaining the time context and filters between views.
  • The possibility of saving complex search filters and time context (bookmarks).
  • The XND module uses data from the NetFlow protocol to detect DDoS attacks on specific services performed by a monitored group of hosts. The system analyses DDoS parameters within the defined time frames and enables to block a service via FlowSpec.


  • Separate accounts for the system administrator and users allows their respective permissions to be determined with greater precision.
  • Possibility of authentication through the LDAP protocol or Radius service.
  • Special views enable the diagnoses of FlowControl system performance, including CPU and RAM load levels and the state of mass storage.


Article: Network flow monitoring as an important source of data for detecting DoS attacks

Jacek Grymuza explains why network flow analysis works excellently for detecting DoS attacks, including in particular, volumetric attacks and protocol attacks.

Poland Office:
Goraszewska 19
02-910 Warsaw


Ireland Office:
Alexandra House
The Sweepstakes
Ballsbridge, Dublin
D04 C7H2

Copyright 2021 Sycope Ltd. All rights reserved. Privacy policy