FlowTraq > Articles by: Alex Barsamian

Author: Alex Barsamian

Deep network visibility and security in AWS VPC

Alex Barsamian
By | May 9, 2018


AWS VPC is (nearly) a wonder of the world

Most networking in the AWS VPC cloud is familiar and intuitive to network engineering veterans. And if you think about that, that’s kind of a miracle. All you have to do is pick a region, declare a VPC, and suddenly you have an internal IP space, Elastic IPs for communicating with the world, and virtual routers, firewalls, NAT devices, and more.

All these abstractions behave uncannily like the brick and mortar hardware they’re modeling, making them easy to reason about and design with. And interaction with them is neatly packaged up as APIs, command-line tools, and mostly-decent user interface, enabling network engineers to forget many of the arcane details they used to have to worry about (“how do I configure a VLAN on a Nexus 5000?”)

The black boxes are so nice and shiny that it’s easy to forget all the engineering under the hood. The trouble with black boxes, though, is that sometimes what’s inside surprises you. And sometimes you need a little more control than the knobs, switches, and ports on the outside of the box.

This is especially true in network security and visibility, where 1) your threat detection platforms and analysis tools absolutely need real-time, forensically-accurate network data, and 2) your analysts need access to first-class tools across the whole network, especially the stuff in the cloud.

The state of flow monitoring in AWS

Recognizing those two needs, about a year ago I released a free AWS Lambda tool to convert and forward Cloudwatch flow logs to Netflow v5. My honest hope was that people would use it to forward their VPC traffic from AWS to their favorite flow analysis platform and use that to do some good in the world (and perhaps that some of those might discover FlowTraq and find a new favorite).

Based on customer feedback, the biggest issue with this approach is the reliance on Cloudwatch logging. Cloudwatch flow logging is an AWS abstraction with some pretty serious limitations, the biggest one being that AWS only promises flow logs every ten minutes or so, and even then the promise isn’t a strong one.

Ten minutes’ lag time before detecting a DDoS attack or other security incident isn’t that far from not detecting it at all. It became clear we needed to take another approach to the AWS VPC security problem.

(Incidentally, while Google was late to the party having just rolled out their version of VPC flow logs a few weeks ago, they really showed Amazon up here, with flow updates every five seconds. I plan to discuss their offering in a future post.)

When the built-in options aren’t enough

If you’re committed to the AWS ecosystem, where do you go from here? Well, in a traditional network environment, if your existing hardware doesn’t support flow generation, you have a couple options:

  • If you can get a network tap in there, generate flow off of that.
  • If you can’t, put a device in-line and generate flow off of that. The simpler the device, the better; best case would be a simple layer 2 bridge doing Proxy ARP

Unfortunately, there’s no abstraction for a tap in the AWS VPC. So the first option is out.

As for the second option: it turns out you can’t build a working bridge in AWS, either. That marvelous simplicity-in-complexity that is AWS that was I referring to earlier? It means that some networking concepts don’t translate. In this case the concept that isn’t a perfect match for on-premise networking is ARP.

In an AWS VPC, when host “A” arps for host “B” the response doesn’t come from “B”. In fact, the initial request never even arrives at “B”. It’s captured and handled by something called the “AWS mapping service”. Simply put, there isn’t a traditional broadcast domain in AWS at all. No, not even between machines on the same VPC subnet!

(Want to learn more about the mapping service and other AWS engineering marvels? Check out Eric Brandwine’s talk “A Day in the Life of a Billion Packets” at AWS re:Invent 2013. It’s fascinating stuff!)

What this means is, to get real-time, forensically accurate, reliable flow out of AWS VPCs we actually need to roll our own router instance. Yes, really. It’s not as bad as it sounds, and it will start paying dividends in networking security right away.


Credit to:

Fill out the form below and we’ll give you access to the detailed How-To Document:

FlowTraq excited to join Manchester, NH Technology Ecosystem

Alex Barsamian
By | February 22, 2017


Big news! FlowTraq will be relocating our headquarters to Manchester, NH later this month.

Why the move? There is tremendous tech talent in Southern New Hampshire, and within this environment, there is currently no better place to be than in the Millyards in Manchester.

With strong presences from local universities, such as UNH and SNHU, Manchester offers an environment that is surrounded by talented students who are looking to take the next step in their career. The “go where the talent is” strategy is clearly successful – many industry leaders such as Sitecore, Dyn/Oracle, AutoDesk, DEKA, and more all have offices in the Millyards.

(Photo courtesy of Amy Chhom)

FlowTraq may have been born in Lebanon, NH, but Manchester is home,” says Vincent Berk, CEO of FlowTraq. “I’ve been networking with people in Manchester for so long now that the Millyard really is the epicenter for where I go to discuss my business. It became clear to me that FlowTraq would benefit from being here. We are thrilled to be joining this technology ecosystem.

FlowTraq provides network security and DDoS mitigation management software solutions for organizations that need to protect their networks, customers, and data. FlowTraq works with some of the largest organizations – and the largest networks – in the world. Major enterprises, government contractors, and universities all rely on FlowTraq to protect themselves, their data, their clients, and their students.

FlowTraq is currently in the process of renovating its new headquarters, but will soon call 155 Dow Street its new permanent home.

Ready to experience FlowTraq for yourself?

To learn more about how FlowTraq can help your business, reach out today to schedule a demo or try FlowTraq yourself free for 14 days.

10 Tips for Surviving the Zombie Apocalypse

Alex Barsamian
By | February 13, 2017


The FlowTraq team was recently at the RSA 2017 conference. While there, we enjoyed a great event learning, networking, and…helping you defeat zombies.

In this case, “zombies” are computers or Internet devices that get taken over by hackers turn against you by launching DDoS attacks. To help you protect yourself, we have compiled a list of “10 Tips for Surviving the Zombie Apocalypse”.

10 Tips for Surviving the Zombie Apocalypse

In the movie Zombieland, a virus turns most of the population into zombies, and the world’s surviving humans remain locked in an ongoing battle against the hungry undead. Four survivors band together and follow a list of proven survival rules and zombie-killing strategies as they make their way to a rumored safe haven.

Here is an updated version of Zombieland’s 10 rules of keeping you and your network optimally prepared for the ongoing zombie botnet apocalypse.

Tip #1: “Cardio”

Preparation is everything. When your cyber apocalypse comes, you have to be in great physical shape. This means you need to deploy today the defenses you may need tomorrow. And when it comes to zombie botnets launching DDoS attacks, our reference to good cardio means three things:

Visibility: You must have complete visibility to everything in your network, not sample data, and not just at the border. You also need full-fidelity where every record counts. Why? Because in the hunt for zombie devices, the control-channel communications are extremely small, and tend to go missing when using sampled flow.
Defenses: The means egress filtering on all your devices. If the source is not your net block, drop it. Most DDoS attacks rely on spoofing the source address. Often the spoofed source address is that of the attack (for reflection/amplification attacks). You are simply a good Internet neighbor by dropping any packet that has a spoofed source address.
Offenses: On-prem bad-packet scrubbing. Discarding any packet that is a protocol anomaly goes a long way in mitigating inbound and outbound DDoS. Look for same source and destination IP, protocol zero, no TCP flags, etc.

Tip #2: “Always Double Tap”

Once you catch a zombie, you will need to put it down. But re-imaging of the host is not enough. The hacker got in once – do you understand how? Can it be prevented from happening again? Understanding the attack vector, and closing it off permanently, is critical.

Preventing re-infection is a delicate game. You need to ensure you get all of them, because shutting zombies down will get noticed by the controlling hacker. This means he or she might change tack, and you lose your advantage. So when you identify the attack vector, make sure you close it down for all systems in your network!

The very best technique to ensure you understand the vector is simply inspecting your network traffic for the zombie device for the last couple of weeks or months. Full-fidelity flow is ideal for this effort since it is lightweight, and can give months of history for relatively little storage.

Full packet capture can also be helpful here. Ideally, you should attempt to understand the mechanisms of the zombie with insight into the hacker’s IP address/es, ports used, and the timing of the communication. This way you can quickly infer if ports need to be closed, IPs need to be blocked, passwords need to be reset, or applications need to be patched.

Tip #3. “Beware of Bathrooms”

Think quick: What is your most vulnerable position? In Zombieland, it is bathrooms, but it is a little more difficult to figure out on your network.

Remember that hackers don’t care what a particular box is, and what function it serves in your network. They search for any way in, which usually leads to the forgotten machine getting hacked first. And once in, the zombie infection spreads quickly. Weak credentials, bad internal security defenses, and bad patching practices allow one zombie to quickly become many zombie computers in your network.

So, to stick with the metaphor, beware of bathrooms and take a disciplined approach to applying security best practices. This will help you:
Educate: Educate your co-workers to recognize phishing email attempts, be suspicious of downloaded applications, and err on the side of caution.
Update: Update your operating systems and software. Once inside your network, zombie infections propagate through common exploits and weak credentials. Religiously apply patches to both operating systems and their software programs.
Separate: Separate your systems and resources. This is perhaps the least obvious rule, but it is much important. Eventually an infection happens, a vulnerability is exploited, or someone accesses a hacked device or connects a VPN from their compromised home computer. A hacker will get in. At that point, you want to make sure it is as difficult as possible for the hacker to move laterally. Deploy internal firewalls, enforce strong access controls, and keep key resources separated.

Tip #4: “Buckle Up”

Always be safe, which in this case means systems back up. This may seem obvious, but it’s often overlooked.

When the going gets tough, and you realize that half of your network is under control of an evil hacker, you may not have much of a choice but to throw a tactical nuke. Re-image all systems, restore your data, and get your organization operational again as soon as possible. But make sure you back up data separately from operating environments. Your OS backup may contain the “puppet master’s” evil control code.

Another common trick that zombies will perform is to encrypt all your data, and then ask you to pay some bitcoin to get the password to decrypt it (aka ransomware). So be extremely smart in your backup strategy – keep physically separate copies that go back many revisions. If you do daily backups, make sure you also have weekly and monthly backups. If the price of the ransom is too expensive, you can also considering restoring from backup.

Finally, to make sure you understand how the ransomware zombies got on your network in the first place, refer back to Tip #2: “Always Double-Tap.”

Tip #5: “Travel Light”

This one should be obvious. The more stuff on your network, the bigger the chances that our network could become a fertile breeding ground for large numbers of zombie devices.

However, this is not easy to avoid. As organizations move through projects, products, and various deliverables, new equipment, servers, and services are added. Similarly, holes are poked in firewalls, accountants may be shared, and credentials may be compromised.

But do you take them away when they are no longer needed? Most firewalls use old rules that are no longer needed. Networks are stacked with older services and services. And with the proliferation of virtualization, the number of servers quickly spun up (“just so we can try it”) has exploded. Especially those that use weak or frequently re-used passwords for easier access.

The problem is that few are ever shut down, and all of them run on powerful hardware. The strategy to overcome this challenge is a two-step process:

1. Put policies in place that track servers, applications, and accounts and enforce a planned expiration on all of them.
2. Conduct regular searches of network activity through skillful cyber hunting. This is important because all connected systems wind up communicating something on the network from time to time, even when they’re not in use.

So make sure you clean it up, clean it out, and travel light to give yourself a better chance of outrunning the zombie apocalypse.

Tip 6: “Don’t be a Hero”

Everyone likes the idea that some flashy new tool will do the job for you. No one likes the grind – the effort required to educate, update, and separate.

But it is the grind that is your best defense. After all, the groundwork in keeping your network resilient is extremely valuable when the zombie computers start popping up. Spend time each and every day hunting for bad guys in your network. Cyber hunting may seem like busy work, but the effort helps you learn much more about your network as you do, and you will soon start to recognize the good from the bad.

There’s little glory in prevention. When you catch that botnet and shut it down – successfully preventing massive downtime – few will cheer your victory. But cyber hunting prevents the agony of dealing with the aftermath: late nights cleaning up as zombies relentlessly blast their traffic while executives are forced to make nerve-wracking moves to limit brand damage.

Remember to:
Hunt for zombies daily
Patch often
Back up frequently

Don’t be a hero. Do your legwork and stay prepared!

Tip #7: “Limber Up”

In this tip, the idea of limbering up means to use overcapacity and plenty of reserves.

Your ability to weather a storm is directly proportional to the reserves you have in your environment. Although this may seem counter-intuitive, having overcapacity actually helps you in the fight against zombie botnets attempting a DDoS attack. Lots of capacity typically means that zombies can whip up a bigger DDoS attack. But when CPU capacity is plentiful, networks have plenty of overcapacity and firewalls and scrubbers are over-provisioned, giving you the tools you need to keep your organization operating under duress.

Typically, network capacity is plentiful as well as system CPU resources. But what is often overlook is the capacity of routers, switches, and firewalls to handle bandwidth. Their CPU power is a bit restrained, and although their links have plenty of capacity, the devices are unable to move packets fast enough. One more tip here: To determine your breaking point, run a small DDoS attack from one segment of your network to another. (But just make sure you do this during off-hours!)

Tip #8. “Know Your Way Out”

Have a backup plan. Or, even better, have three!

When the going gets tough, and you feel you might be losing the battle, make sure you have a plan to evade. This can include alternate internet paths, offsite data storage, and well-documented playbooks that can easily be followed by less-skilled helpers.

Here are a few more details on each of these topics:
Create alternate internet paths: This could be as simple as the wifi network at the local coffee shop, or as sophisticated as load-balanced redundant internet paths.
Take advantage of offsite data storage: Any operational data that can be stored off-site, including redundant email systems (think “cloud”), database-driven applications, or even backup file storage. It is a good practice to architect a business so that it may operate after a loss of access to the premises.
Write well-documented playbooks: This one is very important. An ounce of preparation here can make a huge difference. You should create playbooks for a variety of processes and procedures, including using off-site or redundant resources as well as cleaning up, re-imaging, and remaining operational. Make sure they contain concise instructions that can be followed by people with less technical skills. Practice your playbooks, and don’t be afraid to test your plans ahead of time with scheduled fire drills.

Tip #9: “The Buddy System”

When attempting to keep your network safe, don’t go it alone. Even when resources are constrained, try to pull in someone whose job is not necessarily a full-time network defender. By having a second set of eyes, you may pick up on patterns that you previously missed. Have each other’s back at all times. Also, remember that computers are not inherently evil, and they don’t hack each other by themselves. You are always hunting down a bad guy somewhere, and he/she is the one orchestrating this attack!

As you work with a partner, try to explain what a botnet is, how zombie computers work, and what you can do to catch them and shut them down. This can be very helpful in getting the two of you on the same page and even help find new ways to hunt. Sharing access to visibility tools allows others to pick up on patterns you may miss and accelerates investigations when you do catch something.

Tip #10: “Check Your Back Seat”

In Zombieland, this meant always checking the back seat of any car, just so you were never surprised when you were most vulnerable.

The same rule applies to cyber security. Once you catch a zombie on your network, stay cool, and study it carefully. Find out how it is communicating with the hacker. All of this represents your network’s “back seat” so make sure you check everything you can.

Then, using what you have learned by observing the zombie, details such as the IP addresses it talks to, the ports it uses, the timing of the communications, and any other information you can find, you can quickly start searching for other systems in your network with the exact same behavior. For this, you use full-fidelity flow data.

When you are going to take the fight to your adversaries, make sure you know where they all are. Then take them down all at once. It usually doesn’t take the hacker long to notice that his zombie devices are dropping, and he may switch tactics, or even stop completely.

Bonus: Tip #11: “Enjoy the Little Things”

We realize this was list of 10 tips, but we wanted to give you one more. With the constant stress of staying alive in today’s world of zombies, it is important to take a moment to smell the roses. Pausing should also serve as a grave reminder that the people behind the zombies may adapt, so what you did to protect yourself yesterday may not be enough for tomorrow. There are no silver bullets, and just as Rule #3 advises (“Don’t be a Hero”), you need to prepare yourself to do the work.

We hope these tips will truly help you avoid the zombie apocalypse. To keep a reminder of these tips, please download our Top 10 Zombie Tips infographic now.

Ready to flight Zombies?

To learn more about DDoS Mitigation, reach out today to schedule a demo or try FlowTraq yourself free for 14 days.

Why FlowTraq is the Global Leader in Network Insight, Analysis, and DDoS Mitigation – Plus, a Closer Look at our Partnership with A10 Networks

Alex Barsamian
By | January 26, 2017


FlowTraq has been a trusted partner of network clients since our founding in 2004. And in the decade since, we’ve worked with systems admins, CISOs, and network operators to provide the most complete – and flexible – solutions for threat detection and mitigation on the market.

Not only were we the first to bring network analysis to the cloud for Big Data analysis, we have built our cybersecurity solutions on a best-in-class Distributed Denial of Service (DDoS) threat detection and mitigation technology. FlowTraq allows network operators to prevent disruptions to service and outages from DDoS and other malicious threats. We also give them the data and proficiency to conduct deep dives into their network flow that is necessary to improve the security of their networks.

Network operators face a variety of challenges as they maintain and optimize performance, guard against external and internal threats, and anticipate and architect for the capabilities of the future. DDoS traffic is intentionally generated to take out online services for a host of reasons: ego, extortion, or reprisal. Vigilant security requires knowing what traffic behavior is occurring on the network, what traffic types are involved, and where in the network your normal and abnormal traffic is occurring. Knowing what path this traffic takes allows you to respond intelligently and decisively.

a10-partyFlowTraq’s long-standing partner relationship with A10 Networks underscores how our joint expertise provides a flexible, scalable, and affordable solution for flow-based network insight, analysis, and DDoS mitigation. More, it is just one example of the Network partnerships that we have successfully deployed. In fact, FlowTraq and A10 Networks will be co-sponsoring an event together at RSA this February. (Send us an email at to get your name on the list)!

Here’s How It Works

As traffic traverses the network, it is monitored by FlowTraq, which receives flow samples from routers in various parts of the network and determines traffic baselines. When a network anomaly is detected, FlowTraq, using A10’s RESTful API interface, tells the Thunder TPS line of Threat Protection Systems which protected object is under attack as well as which mitigation action is required.

ft-blog-image-of-flowA10’s Thunder TPS device, in turn, instructs the network to redirect the malicious traffic to the Thunder TPS. The traffic gets scrubbed of the malicious components, and legitimate traffic is forwarded to the target server.

The integration between FlowTraq Enterprise and Thunder TPS solution is best in class and one of the most effective and scalable ways to protect your network from bad actors. In near real-time, network traffic patterns are analyzed, can be accessed and presented to gain insight and provide protection against malicious DDoS attacks.

Deploying Thunder TPS with FlowTraq Enterprise provides:

Deep traffic analysis: FlowTraq provides insight at any level of your network traffic flows: border, core, and edge.

Automated detection and mitigation: Easily escalate suspect traffic to one or more Thunder TPS devices for further traffic validation and DDoS mitigation. FlowTraq analyzes normal network patterns and automatically determines when an anomaly is occurring. Thunder TPS quickly eliminates DDoS traffic, whether volumetric or targeted on the application layer or both.

All the benefits of a single pane of glass: FlowTraq becomes the operator’s eyes and ears into the mitigation by showing exactly how each TPS is doing, and how the attack is affecting all your network resources, from uplink to edge. By orchestrating the DDoS mitigation, FlowTraq allows the operator to interact in real-time with the attack, ensuring minimal impact of the DDoS attack.

Optimal latency: With FlowTraq and Thunder TPS, a dynamic and reactive deployment model can be deployed. FlowTraq continuously monitors the traffic and establishes baselines, and provides rapid detection of anomalies with no added latency. Thunder TPS can dynamically be inserted when necessary.

Additional Benefits of our Relationship with A10 Networks

FlowTraq is a full-fidelity security tool. When the going gets tough, and the bad guys get in, FlowTraq has all the data. You can cyber-hunt with speed and efficiency to find out what happened, when, and where your data went. Even during heavy DDoS attack, full-fidelity data is a powerful asset to fine-tune your mitigation and traffic routing.

FlowTraq scales to fit. This means you can deploy big or small to best fit your budget. Cloud or on-prem. Many small links? Then build an on-prem scrubbing center with A10 TPS, and let FlowTraq be your traffic cop. Big service in the cloud? FlowTraq will comfortably handle a 1.2Tbps scrubbing cluster built with TPS.

– Use FlowTraq to gain new levels of insight and visibility in your peering relationships. Understand where your traffic is going and where it is coming from. Tailor your mitigation strategy to handle the many small threats, the few big, and one monster attack. Only the visibility from FlowTraq gives you the power to take control.

Deploy efficiently and on schedule with a dedicated Technical Account Management team. FlowTraq has the experience to ensure successful deployment. We can help maximize and tune the TPS capabilities, which includes everything from generating net flow on high volume networks to integrating full visibility and control into your existing tools.

If you are evaluating the A10 TPS for DDoS mitigation, you should also talk to a member of the FlowTraq team to make the most of your deployment.

To learn more about how FlowTraq partners with A10 Networks, or to discuss how our solutions can work for your network or infrastructure, please contact me directly at or signup for a free 14-day trial.

Ready to experience FlowTraq for yourself?

To learn more about DDoS Mitigation, reach out today to schedule a demo or try FlowTraq yourself free for 14 days.

3 Cyber Security Trends to Focus on in 2017

Alex Barsamian
By | January 4, 2017


server roomIf you are a celebrity or a rock star, 2016 was a dangerous year. It was an even more difficult year to be an IT security professional, with cyber attacks and the associated costs continuing to rise.

What will 2017 bring? Many experts have already predicted top security trends for 2017, such as eWeek’s recent security slideshow featuring 17 different security experts forecasting their top cyber security trends for 2017.

One thing is clear: We all will face new challenges, a higher number of attacks, and require even more network visibility as cyber criminals are sure to introduce more advanced threats. As a result, IT security teams and business operations will have to work together very closely to ward off cyber-attacks in 2017.

After reviewing many of these lists and predictions, we believe the following three trends are the most likely to produce new threats.

1) An increase in vulnerabilities resulting from the Internet of Things (IoT).

In mid-October, the Mirai code was released on the Internet targeting smart devices. It resulted in an unprecedented distributed denial of service (DDoS) attack that disrupted web services giants such as Twitter and Spotify.

With nearly 5,000 new smart devices connecting to the Internet each minute, you can expect potential attackers to focus on opportunities like the Mirai code to launch more DDoS malware in 2017. Any smart device can become a significant vulnerability, from Android and iOS smartphone to fitness trackers and Bluetooth speakers. These attacks can happen quickly, requiring constant vigilance and immediate action.

2) DDoS attacks will escalate in frequency and damage.

Not the trend you were hoping to see, but the reality is that according to Akamai, DDoS attacks increase 125% year over year and 2017 is expected to be the same. For proof, consider the findings from a recent Cisco report, “The Zettabyte Era—Trends and Analysis”[1]:

– DDoS attacks have increased more than 2.5 times over the last three years.
– Globally, the number of DDoS attacks grew 25 percent in 2015 and will increase 2.6-fold to 17 million by 2020.
– The average size of DDoS attacks is approaching 1 Gbps, which is enough to take most organizations completely off line.

As described above, the Mirai code attack in October will likely embolden criminals lured by the potential disruption it managed to produce. Criminals also know that solutions deployed to protect against DDoS are often installed and forgotten, with most organizations not having sufficient resources to proactively monitor activity and scrutinize logs for early warning signs. It’s a vulnerability criminals simply won’t ignore.

3) The security skills shortage continues – particularly for cyber hunters.

With breaches at corporations and agencies rising uncontrollably, it is inevitable that customers will lobby for better protection and stronger privacy legislation. It is likely that the FTC will become an increasingly active player, depending in large part on what position President-elect Trump chooses to take on the issue of cybersecurity and increased privacy regulations.

That may not be good news for corporations already having a hard time recruiting security experts to help fortify their efforts. Professionals who understand how to secure an organization against a growing number of vulnerabilities are scarce, which means most organizations are only managing to plug holes as new threats surface every day.

Attracting and developing new talent will continue to be a challenge, as will identifying cost-effective security solutions to bridge the gaps. For example, many experts suggest that organizations should be much more proactive in using cyber hunters to identify threats that exist in the organization and eliminate them now – before it’s too late. Companies will need to give cyber hunters the right tools they need to be successful in this role.

The FlowTraq Advantage

Fortunately, FlowTraq’s network monitoring, analysis, and forensics tools provide complete visibility into what’s happening on your network so you can mitigate the risks of DDoS and enforce security policies. With real-time alerts into abnormal, potentially suspicious behavior, you get the information you need to take action without delay.

[1] Cisco, “The Zettabyte Era—News and Analysis,” June 2, 2016.


Ready to experience FlowTraq for yourself?

Sign up for your your free, no obligation  trial now! Set-up is fast and easy, and once you get started, your security will never be the same.

Welcome to the DDoS Battle, AWS!

Alex Barsamian
By | December 7, 2016


Recently Amazon Web Services announced that they are offering both free and premium DDoS mitigation services during their re:Invent Conference, called AWS Shield.

We at FlowTraq wanted to take a moment and welcome Amazon to the DDoS protection space. There are many different types of attacks, as we have outlined in the past, and AWS Shield will end up being a strong name in the space in the months and years to come.

Attacks like the DNS one that was witnessed in October 2016 will become more and more common, and the complexity of the attacks will only increase. CISOs and NOC teams will need better diagnostics into what has occurred – and by whom. Tools such as FlowTraq will be used to provide insight, and to prove that their providers like AWS Shield have performed the mitigation they’ve claimed.

In addition to protecting you from DDoS, consider using VPC flow logs to feed FlowTraq and understand the full spectrum of security threats that your instances are facing. FlowTraq consumes the flow logs and offers the full spectrum of peering analysis, security detection, and traffic monitoring that customers are familiar with for their in-house infrastructure, all of which is available to their cloud deployed hosts. Read more about how to get started with AWS VPC flow logs in FlowTraq.

Fighting these DDoS attacks isn’t always about having the biggest weapon, but rather, having the appropriate arsenal and the right tools in your tool belt.

So today, we say to AWS, welcome the battle!

Ready to experience FlowTraq for yourself?

Request a product demonstration or start your free trial now! Your security will never be the same.


Getting Started with AWS VPC flow logs in FlowTraq

Alex Barsamian
By | June 10, 2016


We make pretty extensive use of Amazon Web Services at FlowTraq. We host a significant percentage of both our public cloud and private cloud offerings in EC2, and prospective customers are delighted to hear that we will support them with optimized configurations, best practices, and more if they want to run their own FlowTraq instance in Amazon’s data centers.

Until recently, however, network visibility in AWS was a bit of a blind spot. But last year, AWS offered the ability to generate CloudWatch logs of network flows to and from your EC2 hosts.

Unfortunately, the logs are not in IPFIX format, the de-facto standard of modern network flow reporting, or any other common format, but a proprietary format. So feeding AWS “netflow” directly into an off-the-shelf flow analyzer is a non-starter.

Fortunately, AWS also offers a clever feature called Lambda, which lets you run a snippet of code in response to an event (such as the generation of a CloudWatch log). The code runs on the AWS infrastructure, but not on a particular EC2 host, and you have your choice of a JavaScript, Java, or Python runtime environment. You pay by the request and by the millisecond.

So we can architect a fairly simple solution: write a Lambda script that responds to the generation of a VPC Flow log and puts the log information on the wire, addressed to a destination IP and TCP port of our choosing. On that destination we run a listener that grabs the information, repackages/converts it to IPFIX, and forwards it to FlowTraq for analysis.

AWS VPC flow logs into FlowTraq

As far as we know, what follows is the best and easiest way to get AWS EC2 CloudWatch logs converted to IPFIX for NetFlow analysis, in FlowTraq or otherwise!


If you haven’t already, set up an AWS CloudWatch Flow log IAM role and a log stream for the virtual interface you want to monitor, per the AWS VPC Flow Logs User Guide.

The Lambda script

The Lambda script is pretty simple:

var zlib = require('zlib');
exports.handler = function(event, context) {
    var payload = new Buffer(, 'base64');
    zlib.gunzip(payload, function(e, result) {
        if (e) {
        } else {
            var host = '';
            var port = 20555;

            var message = new Buffer(result.toString('utf8'));

            var net = require('net');

            var client = new net.Socket();
            client.connect(port, host, function() {
                client.write(message, function() {

There are two configuration variables to consider, namely the IP and destination port to send the logs. Substitute the IP of the host you plan to run the listener on (which may be, but need not be, the same as your FlowTraq server, but in any event must have a public IP) and a port that your firewall will let external IPs connect to.

Create a Lambda function and paste that bit of JavaScript into it.

The listener

As they’re emitted by our Lambda script, there’s some JSON giftwrap around the log lines, which themselves look like this:

version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status

On the other hand, FlowTraq’s IPFIX exporter expects inputs as follows:

client ip, port, server ip, port, protocol, client packets, client bytes, server packets, server bytes, start time, end time, exporter ip, application name

Python’s good for many things, but it’s great for 1) creating a lightweight TCP server, 2) parsing JSON, and 3) manipulating strings.

These three tasks turn out to be the bulk of what’s required of a listener, and we can accomplish our goal in just a few dozen lines of code.

import json
import socket



def printLogEvents(jsonFormat):
    data = json.loads(jsonFormat)
    logEvents = data['logEvents']
    for logEvent in logEvents:
        message = logEvent['message']
        messageSplit = message.split()

        # rearranage the fields from the VPC's log format to ftsq's in format, setting the <- bytes/packets to 0, the application "unknown"
        # and the exporter IP to the IP configured above
        ftsqFormat = ""
        ftsqFormat = ftsqFormat + messageSplit[3] + ","
        ftsqFormat = ftsqFormat + messageSplit[5] + ","
        ftsqFormat = ftsqFormat + messageSplit[4] + ","
        ftsqFormat = ftsqFormat + messageSplit[6] + ","
        ftsqFormat = ftsqFormat + messageSplit[7] + ","
        ftsqFormat = ftsqFormat + messageSplit[8] + ","
        ftsqFormat = ftsqFormat + messageSplit[9] + ","
        ftsqFormat = ftsqFormat + "0" + ","
        ftsqFormat = ftsqFormat + "0" + ","
        ftsqFormat = ftsqFormat + messageSplit[10] + ","
        ftsqFormat = ftsqFormat + messageSplit[11] + ","
        ftsqFormat = ftsqFormat + EXPORT_AS_IP + ","
        ftsqFormat = ftsqFormat + "\"unknown\""
        print ftsqFormat

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)



while True:
    connection, client_address = sock.accept()

    jsonFormat = ""

        while True:
            chunk = connection.recv(1024)
            if chunk:
                jsonFormat = jsonFormat + chunk

This time there are three configuration variables to consider. As before, an IP and TCP port to listen on, which ought to line up with the Lambda script. In addition, you must specify the IP to use as the exporter IP, which is how the flows will appear in FlowTraq. If you want to monitor multiple EC2 hosts or VPCs, you should use different exporter IPs to distinguish them.

Putting it all together

Set up the VPC flow log stream and the lambda script, and subscribe the lambda script to the flow log event source. Then on your listener host, invoke the listener script, and pipe the output to the "ftsq" command. The parameters to put ftsq in exporter mode are:

./ftsq -read -ipfix collector-ip port


./ftsq -read -ipfix 4739

Therefore, use the long-lived command

python | ./ftsq -read -ipfix 4739

To get the VPC Flow logs into FlowTraq.

The next time CloudWatch generates a batch of flow log files, you should see a new exporter appear in FlowTraq with those flows. Et, voilà!

Screen Shot 2016-06-09 at 6.52.40 PM

10 Rules: Zombie Survival Guide Infographic

Alex Barsamian
By | March 17, 2016


Learn the 10 Tips for Surviving the Zombie Apocalypse. These ‘Zombies’ are computers or devices that are under hacker control. Hackers collect vast armies of zombies which they use to launch DDoS attacks.


Alex Barsamian
By | November 21, 2013


Using FlowTraq, NH SAU70 Achieves a Perfect Balance Between Streaming Needs and Internet Abuses

This NH school unit firmly believes in enhancing education by giving faculty and students access to Internet resources but also needed to ensure movies and other copyrighted material are not illegally downloaded and shared. This requirement was particularly challenging because of the school’s policy of allowing end users to access the wireless network with their own devices including smartphones, tablets and laptops. (more…)

Georgian College

Alex Barsamian
By |


Using FlowTraq, Georgian College Quickly Identifies and Remediates Network Performance and Security Issues

GeorgianCollege_logoEstablished in 1967 and based in Ontario, Canada with seven campuses, Georgian College has consistently generated one of the highest graduate employment rates among Ontario colleges formore than a decade. Student enrollment averages more than 10,000 fulltime students per year and includes close to 500 international students from 33 countries. The college employs approximately 750 full-time and 1,500 part-time staff. (more…)

Next Page »