FastNetMon is kind of a hammer: inbound traffic to $x is exceeding bps or pps threshold -> trigger mitigation for $x (i.e. a remote blackhole). This is generally good enough to defend against the least sophisticated and most common attacks such as NTP, SSDP, DNS amplification attacks. Then there's a long tail of other attack types are not volumetric in nature and are more difficult to detect. That's a big part of what you pay for when you buy a commercial solution.
Then once an attack has been identified you want to specify mitigation policies: Customer A gets full mitigation, but customer B needs to be blackholed instead. If an attack is smaller than 10Gbps you want to simply insert some flowspec rules into your edge routers, but if the attack pattern is too random you will have to redirect a /32 to a specialized scrubbing device instead. Larger attacks you might want to announce through a DDoS protection service so you announce the /24 containing that IP address to your DDoS protection service to reduce bandwidth on your own uplinks, and so on. I could go on, I hope you get the idea :)
Got it thanks. Interesting. So do the usual router suspects (Cisco, Juniper etc) own this market? Does Google/AWS roll their own solutions? Any interesting startups taking them on?
