10 Gigabit DDoS Mitigation
nScrub is a DDoS mitigation engine based on PF_RING ZC able to operate at 10 Gbps line-rate using commodity hardware.
nScrub can be implemented as bump in the wire (transparent bridge) or as router (to be used with BGP diversion techniques), both in asymmetric mode (i.e. mitigate only one traffic direction, from Internet to the protected network) or symmetric mode (i.e. mitigate from Internet to the protected network, but also forward the outbound traffic).
nScrub has been designed as an extensible platform, meaning that it can be extended for the definition of new additional algorithms for traffic mitigation, to be used in addition to those part of nScrub.
nScrub provides a REST API for configuring the engine, combined with a shell-like CLI tool with auto-completion.
Multi-Layer Traffic Enforcement
- Active sessions verification for protocols including TCP and DNS
- Flexible subnet blacklists and whitelists
- DNS check: force TCP, etc.
- ACL-like policies based on UDP/TCP/ICMP fields
- Signature-based filtering, HTTP requests filtering
- Anomaly detection based on traffic behavior
- Rate limiting based on source, destination, protocol
- Traffic checkers are implemented as plugins, so that third parties can define their own checkers for specific protocols.
- Ingress traffic is split towards several virtual mitigators, based on the destination IP address, this way it is possible to specify traffic enforcement policies per destination subnet
- Each virtual mitigator is bound to traffic enforcement profiles: default, white, black, gray. Each profile contains a traffic enforcement configuration (e.g. SYN check=yes, ICMP Drop=No) and applies to source IPs according to the lists (white/black/gray).
- Global or per-destination bypass mode
Transparent Bridge Mode
Running nScrub in transparent bridge (Bump-In-The-Wire) mode requires zero configuration.
Running nScrub in routing mode lets you mitigate attacks on demand and on remote locations using BGP diversion.
Hw and Sw Bypass
Hardware bypass, when supported by the underlying hw, ensures that nScrub will have no impact in the infrastructure in case of system failures. Software bypass lets you temporarily disable any protection policy with the desired granularity.
Traffic Visibility and Historical Data
Web-based RRD-style historical graphs, combined with PCAP dump on request triggered by an event-driven scriptable engine, guarantee full visibility on DDoS attacks. nScrub is able to export sampled/full good/bad/all traffic to external virtual devices for analysis.
nScrub has been benchmarked using a traffic generator based on PF_RING ZC simulating real traffic from a SYN flood and UDP-based amplification attacks. In all the tests the smallest packet size has been used (60-byte), to evaluate the system performance in the worst case scenario (10 Gigabit line-rate at 14.88 Mpps).
|Benchmark||Traffic||In Rate||Processed||Out Rate||Loss|
|Forward All||64-byte UDP||14.88 Mpps (10 Gbit/s)||14.88 Mpps||14.88 Mpps||0%|
|TCP Session Check||78-byte SYN Flood||12.25 Mpps (10 Gbit/s)||12.25 Mpps||0 Mpps||0%|
|UDP Port Drop||64-byte UDP||14.88 Mpps (10 Gbit/s)||14.88 Mpps||0 Mpps||0%|
|UDP Rating (1 Mpps)||64-byte UDP||14.88 Mpps (10 Gbit/s)||14.88 Mpps||0.9 Mpps||0%|
|Blacklist (8K CIDR)||64-byte UDP||14.88 Mpps (10 Gbit/s)||14.88 Mpps||0 Mpps||0%|
The table above shows the result of a worst-case performance test using:
- nScrub 10G (native PF_RING ZC support)
- Ubuntu Linux 16.04
- PF_RING 6.6.X
- CPU Intel E5-1660 v4 DDR4 2400 (only 4 CPU cores have been used)
- Intel X520 Dual 10 Gigabit Network Adapter
nScrub is distributed under the EULA and requires a license per system. Licenses are available in various flavours depending on speed and number of target servers nScrub can handle.
|Speed||1 Gigabit||1 Gigabit||10 Gigabit||10 Gigabit||10 Gigabit|
|Servers||Up to 10||Unlimited||Up to 10||Up to 100||Unlimited|
If you are a non-profit institution or a university, you can have nScrub at no cost (even if your donations are welcome): please drop us a mail from your organisation account where you explain why you qualify.