Why do I see traffic volumes on my DDoS Dashboard when I'm not sending any traffic through Silverline? Such as this image:
- Silverline DDoS
- DDoS Dashboard
- Network Traffic
Notice in the screenshot above that all of the traffic shown is Incoming (pre-scrubbing) and there is no visible traffic on the Incoming (post-scrubbing) data series.
F5 Silverline uses Netflow data collection tools to monitor traffic both before any scrubbing action occurs and after. These two flow collection areas represent the pre-scrubbing and post-scrubbing data series in the graph.
The pre-scrubbing Netflow collection is processed on ALL traffic passing through Silverline for all customers. What this means is that pre-scrubbing flow data will be shown on the timeline when either the source or destination of the traffic matches the customer's configured prefixes in the Silverline portal.
This does not indicate that traffic is being processed by Silverline to mitigate and return to the specific customer. It indicates that other customers on the Silverline network have traffic flows that interact with this customer's prefixes.
This is considered normal behavior and is indicative of the visibility that Silverline provides to all users of the DDoS Protection service.
DDoS Dashboard With Traffic Routed through Silverline
If a routed customer were to advertise prefixes to Silverline such that attack traffic would be mitigated and only clean traffic transmitted to the customer, the timeline graph would look like the following:
Note that there is both Incoming (pre-scrubbing) traffic and Incoming (post-scrubbing) traffic shown on the data series.
- The Incoming (post-scrubbing) traffic is collected via Netflow after mitigation actions have occurred
- and this traffic will be passed along (post-scrubbing) to the customer via GRE or whatever configured method.
NOTE: The Clean Traffic calculated for customer billing purposes does not include the Incoming (pre-scrubbing) traffic volumes.