Logo
Sign in
Product Logo
nScrubntop

nScrub is a DDoS mitigation system leveraging PF_RING ZC to operate at 10 Gigabit/s, scaling to Terabit/s via a modular architecture.

Vendor

Vendor

ntop

Company Website

Company Website

nscrub-architecture-1.webp
Product details

nScrub is a DDoS mitigation system designed to protect networks from distributed denial-of-service attacks. It utilizes PF_RING ZC for high-speed packet processing, achieving 10 Gigabit/s line-rate performance on commodity hardware and scaling to Terabit/s throughput through a modular design. nScrub can be deployed as a transparent bridge (bump in the wire) or as a router using BGP diversion techniques. It supports both asymmetric mitigation (protecting traffic from the Internet to the protected network) and symmetric mitigation (handling both inbound and outbound traffic). The system is built as an extensible platform, allowing for the addition of custom traffic mitigation algorithms via plugins. It offers a REST API for configuration and a shell-like CLI tool with auto-completion. nScrub provides multi-layer traffic enforcement, active session verification for protocols like TCP and DNS, flexible subnet blacklists and whitelists, DNS checks, ACL-like policies based on UDP/TCP/ICMP fields, signature-based filtering, HTTP request filtering, anomaly detection based on traffic behavior, and rate limiting based on source, destination, and protocol. It also offers multi-tenancy, allowing traffic to be split towards virtual mitigators based on destination IP address, enabling per-destination subnet traffic enforcement policies. Hardware bypass (if supported) and software bypass ensure minimal impact in case of system failures and allow temporary disabling of protection policies. The system provides web-based historical graphs and PCAP dump capabilities triggered by an event-driven scriptable engine for full visibility on DDoS attacks. nScrub can export sampled or full traffic to external virtual devices for analysis.

Features & Benefits

  • Multi-Layer Traffic Enforcement
    • Provides various traffic enforcement mechanisms.
    • Active sessions verification for protocols including TCP and DNS
    • Flexible subnet blacklists and whitelists
    • DNS check: force TCP, etc.
    • ACL-like policies based on UDP/TCP/ICMP fields
    • Signature-based filtering, HTTP requests filtering
    • Anomaly detection based on traffic behavior
    • Rate limiting based on source, destination, protocol
    • Traffic checkers are implemented as plugins, so that third parties can define their own checkers for specific protocols.
  • Multi-Tenancy
    • Enables traffic mitigation policies per destination subnet.
    • Ingress traffic is split towards several virtual mitigators, based on the destination IP address, this way it is possible to specify traffic enforcement policies per destination subnet
    • Each virtual mitigator is bound to traffic enforcement profiles: default, white, black, gray. Each profile contains a traffic enforcement configuration (e.g. SYN check=yes, ICMP Drop=No) and applies to source IPs according to the lists (white/black/gray).
    • Global or per-destination bypass mode
  • Transparent Bridge Mode
    • Requires zero configuration in Bump-In-The-Wire mode.
  • Routing Mode
    • Mitigates attacks on demand and on remote locations using BGP diversion.
  • Hw and Sw Bypass
    • Ensures minimal impact in case of system failures and allows temporary disabling of protection policies.
    • Hardware bypass, when supported by the underlying hw, ensures that nScrub will have no impact in the infrastructure in case of system failures.
    • Software bypass lets you temporarily disable any protection policy with the desired granularity.
  • Traffic Visibility and Historical Data
    • Provides comprehensive traffic visibility and historical data.
    • Web-based RRD-style historical graphs, combined with PCAP dump on request triggered by an event-driven scriptable engine, guarantee full visibility on DDoS attacks.
    • nScrub is able to export sampled/full good/bad/all traffic to external virtual devices for analysis.
Find more products by industry
Information & CommunicationView all
Find more products by category
Security SoftwareView all