Introducing nScrub: Powerful yet Affordable DDoS Mitigation

Posted · Add Comment

ntop has always tried to make the Internet a better place by developing many open-source network monitoring tools, and releasing all the software at no cost to non-profit and education. A few years ago, Qurium/VirtualRoad, a swedish foundation offering secure hosting to independent online news outlets and human rights organisations, contacted us. The reason was that after years mitigating attacks using proprietary appliances and servers running customised Linux kernel code based on netfilter, they reached the conclusion that those solutions were not affordable, or flexible, or fast enough. Their experience with the “scrubbing market” over the years has been always full of frustrations: lack of transparency, over priced solutions, vendor lock-in, poor documentation, expensive support, lack of interest tracking the attacks… The day they wanted to upgrade the infrastructure to handle 40 Gbps attacks, they were confronted with the sad reality: they could not even dream affording it. Since then, they invested their energy in understanding what was needed to build the best traffic scrubber: the magic that identifies and drops back traffic at very high speeds. The first obvious finding was the needing for a technology capable of moving packets between the interfaces of an affordable network adapter without using too many CPU cycles, at line-speed. That’s when they reached us at ntop and a new adventure started. In a few months we drafted, prototyped, and created the roadmap for a multi-tenant scrubbing system, “nScrub”.

nScrub is a software-based DDoS mitigation tool based on PF_RING ZC, our flexible packet processing framework, able to operate at 10 Gbps line-rate using commodity hardware (Intel NICs and standard servers). Every packet that reaches nScrub interacts with more than twenty filters and scrubbing algorithms developed to mitigate known Denial of Service attacks against web applications, game servers and DNS servers.

Key features:

  • Transparent bridge (bump-in-the-wire) or routing (BGP diversion) working mode
  • Hardware bypass support
  • Multitenancy, to protect heterogeneous services
  • Historical data
  • Web-based RRD-style historical graphs
  • PCAP dump on request
  • Event-driven scriptable engine
  • Active sessions verification for protocols including TCP and DNS
  • Flexible blacklists and whitelists
  • Firewall-like filtering
  • Anomaly detection based on traffic behavior
  • Pattern matching, HTTP filtering
  • Rate limiting based on source, destination, protocol
  • Plugins support for easy extensibility

Today, which is the World Press Freedom Day, we are glad to release nScrub 1.0. All informations for getting started are available at the nScrub page. As usual, nScrub is free for non-profit and educational users.