자체 네트워크에서 2초 이내에 DDoS 공격을 탐지하고 차단.

BGP Flowspec (RFC 5575) is a BGP extension that distributes granular traffic filtering rules across routers — similar to pushing ACLs via BGP, but with more granular match conditions. OcNOS supports Flowspec matching by source IP, destination IP, protocol, source/destination port, packet length, TCP flags, DSCP, and IP fragment type. When FastNetMon detects an attack, it pushes Flowspec rules to OcNOS via BGP in milliseconds. OcNOS installs these rules directly in the ASIC hardware, where they drop or rate-limit matching traffic at full line rate — with zero CPU overhead.

FastNetMon receives sFlow, NetFlow v5/v9, or IPFIX telemetry from OcNOS interfaces and continuously analyzes traffic against configurable per-host and per-subnet thresholds. When an anomaly exceeds the threshold — for example, a UDP flood exceeding 5 Gbps to a single destination — FastNetMon automatically triggers either a BGP Flowspec rule (for surgical, protocol-specific mitigation) or an RTBH blackhole route (for full prefix blackholing) via BGP to OcNOS. The detect-to-mitigate loop is automated and typically completes in under 2 seconds.

FastNetMon with OcNOS detects and mitigates the most common DDoS attack types: volumetric floods (UDP amplification, ICMP flood, raw bandwidth saturation), protocol attacks (SYN flood, TCP RST flood, fragmented packet attacks), and application-layer attacks detectable by flow analysis (DNS query floods, NTP amplification, Memcached amplification). BGP Flowspec can match on protocol, port, TCP flags, and fragment type for precise surgical mitigation. For volumetric attacks where precision is less important than speed, RTBH blackholing drops all traffic to the targeted prefix at the network edge.

Yes. OcNOS provides three independent DDoS mitigation mechanisms that work without FastNetMon: static hardware ACLs (ASIC-accelerated, zero CPU overhead) for permanent blocking of known bad actors; manual RTBH blackholing via BGP for operator-triggered prefix blackholing; and reception of BGP Flowspec rules from any standard BGP speaker. Operators with existing detection platforms — Arbor/Netscout, A10 Networks, Cloudflare Magic Transit, or Kentik — can use OcNOS as the enforcement plane, receiving Flowspec or RTBH commands from their existing detection system.

RTBH (Remotely Triggered Black Hole) blackholing works by advertising the targeted destination prefix via BGP with a next-hop pointing to a discard interface. All upstream routers that receive the RTBH advertisement will drop all traffic destined for that prefix at their edge — stopping attack traffic before it enters your network. RTBH is the right choice for high-volume volumetric attacks where stopping all traffic to a destination (including legitimate traffic) is acceptable to protect the rest of the network. BGP Flowspec is preferable when you need surgical mitigation — for example, blocking only UDP port 53 to a destination while allowing TCP traffic through. In practice, operators often start with RTBH for speed and switch to Flowspec for precision once the attack is characterized.

In-network mitigation complements or partially replaces scrubbing centers depending on the attack type and scale. For volumetric attacks targeting your own prefixes, OcNOS with FastNetMon provides faster response (sub-2-second) at lower cost than routing traffic through a scrubbing center — because the filtering happens in-line at the network edge in hardware ASICs. For very large attacks that saturate upstream links before reaching your routers, upstream RTBH with your transit providers combined with in-network Flowspec is the most effective approach. Managed DDoS service providers can also use OcNOS as the per-customer enforcement plane for per-customer Flowspec rules and thresholds.