Attack detection using Collector

Collector is currently in beta testing and active development.

For all comments and suggestions, please write to support.

Scenario Overview

Collector allows you to detect attacks without directing traffic to MITIGATOR and enable protection for individual policies (protected resources):

Autodetection provides two main features:

  • Enable and disable countermeasures depending on the traffic in the policy according to flow sources.
  • Assign and remove BGP announcements that direct traffic to the policy via MITIGATOR.

Global MITIGATOR countermeasures can be enabled and disabled by thresholds associated with counters on device interfaces and their combinations:

The functionality is advanced and is currently not available from the interface.

Interaction settings

For integration, you must have a working MITIGATOR and Collector that accepts flow from network devices. Scheme of interaction with default parameters:

Collector Setup

All settings are made through environment variables, which are set in the .env file. The picture and listing show the same default values:




Ports for IPv6 traffic are set automatically as one more than the port for IPv4, for example, for netflow v5, port 9556 will be used by default.


On the MITIGATOR side, the list of Collector units is configured via the web interface or API. For example, to specify parameters as in the picture, you need to specify the address collector-backend.mitigator and port 8853.