DDoS Mitigation System

nScrub is a DDoS mitigation system based on PF_RING ZC, able to operate at 10 Gigabit/s line-rate using a low-end system, and scale to Terabit/s building a modular architecture.

nScrub can be implemented as bump in the wire (transparent bridge) or as router (to be used with BGP diversion techniques), both in asymmetric mode (i.e. mitigate only one traffic direction, from Internet to the protected network) or symmetric mode (i.e. mitigate from Internet to the protected network, but also forward the outbound traffic).

nScrub has been designed as an extensible platform, meaning that it can be extended for the definition of new additional algorithms for traffic mitigation, to be used in addition to those part of nScrub.

nScrub provides a REST API for configuring the engine, combined with a shell-like CLI tool with auto-completion.

Key Features

Multi-Layer Traffic Enforcement

  • Active sessions verification for protocols including TCP and DNS
  • Flexible subnet blacklists and whitelists
  • DNS check: force TCP, etc.
  • ACL-like policies based on UDP/TCP/ICMP fields
  • Signature-based filtering, HTTP requests filtering
  • Anomaly detection based on traffic behavior
  • Rate limiting based on source, destination, protocol
  • Traffic checkers are implemented as plugins, so that third parties can define their own checkers for specific protocols.


  • Ingress traffic is split towards several virtual mitigators, based on the destination IP address, this way it is possible to specify traffic enforcement policies per destination subnet
  • Each virtual mitigator is bound to traffic enforcement profiles: default, white, black, gray. Each profile contains a traffic enforcement configuration (e.g. SYN check=yes, ICMP Drop=No) and applies to source IPs according to the lists (white/black/gray).
  • Global or per-destination bypass mode

Transparent Bridge Mode

Running nScrub in transparent bridge (Bump-In-The-Wire) mode requires zero configuration.

Routing Mode

Running nScrub in routing mode lets you mitigate attacks on demand and on remote locations using BGP diversion.

Hw and Sw Bypass

Hardware bypass, when supported by the underlying hw, ensures that nScrub will have no impact in the infrastructure in case of system failures. Software bypass lets you temporarily disable any protection policy with the desired granularity.

Traffic Visibility and Historical Data

Web-based RRD-style historical graphs, combined with PCAP dump on request triggered by an event-driven scriptable engine, guarantee full visibility on DDoS attacks. nScrub is able to export sampled/full good/bad/all traffic to external virtual devices for analysis.


nScrub has been benchmarked using a traffic generator based on PF_RING ZC simulating real traffic from a SYN flood and UDP-based amplification attacks. In all the tests the smallest packet size has been used (60-byte), to evaluate the system performance in the worst case scenario (10 Gigabit line-rate at 14.88 Mpps).

Benchmark Traffic In Rate Processed Out Rate Loss
Forward All 64-byte UDP 14.88 Mpps (10 Gbit/s) 14.88 Mpps 14.88 Mpps 0%
TCP Session Check 78-byte SYN Flood 12.25 Mpps (10 Gbit/s) 12.25 Mpps 0 Mpps 0%
UDP Port Drop 64-byte UDP 14.88 Mpps (10 Gbit/s) 14.88 Mpps 0 Mpps 0%
UDP Rating (1 Mpps) 64-byte UDP 14.88 Mpps (10 Gbit/s) 14.88 Mpps 0.9 Mpps 0%
Blacklist (8K CIDR) 64-byte UDP 14.88 Mpps (10 Gbit/s) 14.88 Mpps 0 Mpps 0%

The table above shows the result of a worst-case performance test using:

  • nScrub 10G (native PF_RING ZC support)
  • Ubuntu Linux 16.04
  • PF_RING 6.6.X
  • CPU Intel E5-1660 v4 DDR4 2400 (only 4 CPU cores have been used)
  • Intel X520 Dual 10 Gigabit Network Adapter

Operating Systems



nScrub is distributed under the EULA and requires a license per system. Licenses are available in various flavours depending on speed and number of target servers nScrub can handle. Please note that the nscrub1g binary should be used with S and M licenses, the nscrub binary for the other models.

Link Speed 1 Gigabit 1 Gigabit 10 Gigabit 10 Gigabit 10+ Gigabit
Protected Servers Up to 10 Unlimited Up to 10 Up to 100 Unlimited

Get It

nScrub can be installed from packages.ntop.org, and licenses are available from shop.ntop.org. Please note nScrub leverages on ZC acceleration, thus PF_RING ZC is also required. Installation instructions are available in the User’s Guide.

If you are a non-profit institution or a university, you can have nScrub at no cost (even if your donations are welcome): please drop us a mail from your organisation account where you explain why you qualify.