Home/Solutions/DDoS Protection
OcNOS-SP  ·  FastNetMon  ·  BGP Flowspec  ·  RTBH

Detect and stop DDoS attacks in under 2 seconds. In your own network.

OcNOS with FastNetMon provides automated DDoS detection and mitigation directly at the network edge — no scrubbing center, no cloud diversion, no added latency. Attacks are detected via sFlow/NetFlow telemetry and mitigated at line rate in ASIC hardware.

Book a DDoS Demo View Hardware
Why In-Network DDoS Mitigation?

Scrubbing centers add latency and cost. Hardware-enforced Flowspec adds neither.

Traditional DDoS protection routes all traffic through an off-path scrubbing center — adding 10–50ms of latency for every packet, even during normal operation, and adding a per-Gbps cost for the scrubbing capacity. That model made sense when attacks were rare and detection was slow.

Today's attacks are faster, larger, and more frequent. OcNOS with FastNetMon puts the detection and mitigation logic directly into the network edge: sFlow/NetFlow telemetry streams from OcNOS to FastNetMon continuously; when an attack is detected, FastNetMon pushes BGP Flowspec rules back to OcNOS; OcNOS installs the rules in the ASIC hardware at line rate. The entire loop completes in under 2 seconds — and there is zero added latency for clean traffic.

Attack types detected and mitigated:

UDP Amplification SYN Flood TCP RST Flood ICMP Flood DNS Query Flood NTP Amplification Memcached Reflection Volumetric Bandwidth Saturation Fragmented Packet Attack

FastNetMon Integration — Production DDoS Detection Engine

FastNetMon Advanced is a production-grade DDoS detection system used by hundreds of ISPs and hosting providers globally. It consumes sFlow, NetFlow v5/v9, IPFIX, and port-mirror traffic from OcNOS, and triggers automatic mitigation actions with configurable per-host and per-subnet thresholds.

BGP Flowspec (RFC 5575) — Surgical Traffic Filtering

Match and filter attack traffic by source/destination IP, protocol, port, packet length, TCP flags, DSCP, and fragment type. Rules are pushed via BGP and installed in ASIC hardware in milliseconds — filtering at line rate with zero CPU overhead. Drop, rate-limit, or redirect matching traffic.

RTBH Blackholing — Fast Blunt-Force Protection

BGP-based blackholing for large volumetric attacks. Customer-triggered or auto-triggered via FastNetMon when traffic to a prefix exceeds threshold. RTBH routes propagate to upstream peers and transit providers — stopping attack traffic before it enters your network.

sFlow & NetFlow Telemetry — Continuous Traffic Visibility

OcNOS exports sFlow (RFC 3176), NetFlow v5/v9, and IPFIX from all edge interfaces — hardware-accelerated sampling with configurable sampling rates. Feeds FastNetMon for DDoS detection, and simultaneously feeds Kentik, PRTG, Prometheus, or any flow collector for traffic analytics.

Hardware ACL Filtering — Static, Zero-CPU Blocking

ASIC-accelerated Access Control Lists for permanent blocking of known bad actors — specific IPs, subnets, protocols, or ports. Rate limiting per-interface, per-VLAN, or per-prefix. Configured once, enforced in hardware permanently with no routing or processing overhead.

FastNetMon → OcNOS — automated response ALERT
1 — FastNetMon detects anomaly via sFlow
ALERT  UDP flood → 203.0.113.50
14 Gbps — threshold 5 Gbps exceeded
2 — FastNetMon pushes BGP Flowspec to OcNOS
POST /api/flowspec/rule
match: dst 203.0.113.50/32 proto UDP
action: rate-limit 100Mbps
→ rule installed in ASIC: 0.8s
3 — OcNOS enforces at line rate in hardware
Flowspec rules active 14
Dropped (attack) 2.4M pkt/s
Rate-limited 180K pkt/s
✓ clean traffic passing normally

FastNetMon — the detection engine

FastNetMon Advanced is a dedicated DDoS detection engine used by hundreds of ISPs globally. It integrates natively with OcNOS via BGP Flowspec and RTBH. Supports sFlow, NetFlow, and IPFIX with configurable per-host, per-subnet, and per-protocol thresholds.

Learn about FastNetMon →
<2s
Detect-to-mitigate loop — from sFlow anomaly to Flowspec rule in hardware
0ms
Added latency for clean traffic — filtering is in-line ASIC, not an off-path scrubber
0%
CPU overhead for hardware ACL and Flowspec enforcement — ASIC-accelerated
600+Operator Deployments
60+Countries
26Years in Networking
Reference Architecture

In-network DDoS detection and mitigation — full topology

A complete picture of where each protection layer sits. Attack traffic from the internet hits the OcNOS edge routers, where sFlow telemetry continuously feeds FastNetMon. When FastNetMon detects an anomaly, it pushes BGP Flowspec or RTBH back to the edge — installed in ASIC hardware in milliseconds. Upstream peers can also receive RTBH announcements to drop attack traffic before it reaches your network.

In-network DDoS protection topology with OcNOS edge and FastNetMon Attack traffic from botnet sources transits an upstream peer to two OcNOS-SP edge routers. The edge routers export sFlow and NetFlow telemetry to a FastNetMon detection engine. When an attack is detected, FastNetMon pushes BGP Flowspec or RTBH routes back to the edge routers via BGP, installing rules in the ASIC for line-rate filtering. Clean traffic continues to the protected customer or data center network. The upstream peer can also receive RTBH announcements over BGP to drop attack traffic before it ingresses the protected network. Attackers distributed botnet 10–100 Gbps Customers legitimate traffic HTTP/DNS/SSH Transit Peer eBGP / RTBH recv Tier-1 Internet RTBH /32 drops OcNOS Edge-01 UfiSpace S9600-72XC Qumran-AX · 4.8 Tbps ASIC HARDWARE Flowspec + ACL drop line-rate · 0% CPU OcNOS Edge-02 UfiSpace S9600-72XC ECMP redundant ASIC Flowspec + ACL attack + clean FastNetMon Detection Engine sFlow + NetFlow analysis < 1s threshold detect sFlow ↑ BGP Flowspec ↓ + RTBH RTBH propagated upstream over eBGP → Protected Servers DC / hosted infra clean traffic only · 0ms added Customer Networks per-tenant policy managed DDoS service clean ✓ attack drop DETECT-TO-MITIGATE LOOP 1. Anomaly detected FastNetMon: <1s 2. BGP Flowspec push FNM → OcNOS: ~200ms 3. ASIC rule installed OcNOS hardware: ~800ms 4. Attack dropped at line rate total loop: <2s · 0ms clean-traffic latency
Attack traffic
Clean traffic
sFlow / NetFlow telemetry
BGP Flowspec / RTBH (control plane)
↳ hover any node for platform, ASIC, BGP, and policy detail
How It Works

From attack detection to traffic blocked — four steps

The entire detect-to-mitigate loop is automated. Once configured, no human intervention is needed to stop an attack.

1

Collect

OcNOS exports sFlow and NetFlow telemetry from all edge interfaces to FastNetMon. Hardware-accelerated packet sampling — no CPU overhead, no impact on forwarding performance.

2

Detect

FastNetMon analyzes flow data against per-host and per-subnet thresholds. Identifies volumetric floods, SYN storms, UDP amplification, DNS floods, and NTP reflection attacks — typically in under 1 second.

3

Signal

FastNetMon automatically pushes BGP Flowspec rules (for surgical mitigation) or RTBH blackhole routes (for volumetric attacks) to OcNOS via BGP. Fully automated — no operator action required during the attack.

4

Mitigate

OcNOS installs Flowspec rules or RTBH routes directly in the ASIC hardware. Attack traffic is dropped or rate-limited at full line rate. Clean traffic continues unaffected. Rules are removed automatically when the attack subsides.

Use Cases

Where DDoS protection with OcNOS fits

OcNOS DDoS protection works for any operator running open hardware at the network edge — from small ISPs to large data center operators.

🌐

ISP & SP Edge Protection

Protect peering edges and transit links from volumetric DDoS that would saturate customer-facing bandwidth. sFlow detection at the peering router with automatic BGP Flowspec mitigation stops floods before they reach downstream customers. Upstream RTBH coordination with transit providers stops attacks before they enter your network.

🏢

Data Center Perimeter

In-line DDoS filtering at the DC border — protecting hosted infrastructure and cloud workloads. Static hardware ACLs block known bad actors permanently. Dynamic Flowspec rules adapt to new attack signatures in real time. No traffic diversion to a scrubbing center means zero latency impact for clean traffic.

🛡️

Managed DDoS Protection Service

Operators can offer per-customer DDoS protection as a managed service, billing by the protected prefix. FastNetMon supports per-customer threshold profiles. OcNOS enforces per-customer Flowspec rules. No shared scrubbing infrastructure — each customer's protection is dedicated and in-network.

Common Questions

DDoS Protection with OcNOS — FAQ

What is BGP Flowspec and how does OcNOS use it for DDoS mitigation?
BGP Flowspec (RFC 5575) is a BGP extension that distributes granular traffic filtering rules across routers — similar to pushing ACLs via BGP, but with more granular match conditions. OcNOS supports Flowspec matching by source IP, destination IP, protocol, source/destination port, packet length, TCP flags, DSCP, and IP fragment type. When FastNetMon detects an attack, it pushes Flowspec rules to OcNOS via BGP in milliseconds. OcNOS installs these rules directly in the ASIC hardware, where they drop or rate-limit matching traffic at full line rate — with zero CPU overhead.
How does FastNetMon integrate with OcNOS, and how fast is the response?
FastNetMon receives sFlow, NetFlow v5/v9, or IPFIX telemetry from OcNOS interfaces and continuously analyzes traffic against configurable per-host and per-subnet thresholds. When an anomaly exceeds the threshold — for example, a UDP flood exceeding 5 Gbps to a single destination — FastNetMon automatically triggers either a BGP Flowspec rule (for surgical, protocol-specific mitigation) or an RTBH blackhole route (for full prefix blackholing) via BGP to OcNOS. The detect-to-mitigate loop is automated and typically completes in under 2 seconds.
What types of DDoS attacks does this solution detect and mitigate?
FastNetMon with OcNOS detects and mitigates the most common DDoS attack types: volumetric floods (UDP amplification, ICMP flood, raw bandwidth saturation), protocol attacks (SYN flood, TCP RST flood, fragmented packet attacks), and application-layer attacks detectable by flow analysis (DNS query floods, NTP amplification, Memcached amplification). BGP Flowspec can match on protocol, port, TCP flags, and fragment type for precise surgical mitigation. For volumetric attacks where precision is less important than speed, RTBH blackholing drops all traffic to the targeted prefix at the network edge.
Can OcNOS do DDoS mitigation without FastNetMon?
Yes. OcNOS provides three independent DDoS mitigation mechanisms that work without FastNetMon: static hardware ACLs (ASIC-accelerated, zero CPU overhead) for permanent blocking of known bad actors; manual RTBH blackholing via BGP for operator-triggered prefix blackholing; and reception of BGP Flowspec rules from any standard BGP speaker. Operators with existing detection platforms — Arbor/Netscout, A10 Networks, Cloudflare Magic Transit, or Kentik — can use OcNOS as the enforcement plane, receiving Flowspec or RTBH commands from their existing detection system.
What is RTBH blackholing and when should I use it instead of Flowspec?
RTBH (Remotely Triggered Black Hole) blackholing works by advertising the targeted destination prefix via BGP with a next-hop pointing to a discard interface. All upstream routers that receive the RTBH advertisement will drop all traffic destined for that prefix at their edge — stopping attack traffic before it enters your network. RTBH is the right choice for high-volume volumetric attacks where stopping all traffic to a destination (including legitimate traffic) is acceptable to protect the rest of the network. BGP Flowspec is preferable when you need surgical mitigation — for example, blocking only UDP port 53 to a destination while allowing TCP traffic through. In practice, operators often start with RTBH for speed and switch to Flowspec for precision once the attack is characterized.
Does in-network DDoS mitigation with OcNOS replace a scrubbing center?
In-network mitigation complements or partially replaces scrubbing centers depending on the attack type and scale. For volumetric attacks targeting your own prefixes, OcNOS with FastNetMon provides faster response (sub-2-second) at lower cost than routing traffic through a scrubbing center — because the filtering happens in-line at the network edge in hardware ASICs. For very large attacks that saturate upstream links before reaching your routers, upstream RTBH with your transit providers combined with in-network Flowspec is the most effective approach. Managed DDoS service providers can also use OcNOS as the per-customer enforcement plane for per-customer Flowspec rules and thresholds.
Deeper Dive

Documentation & deployment guides.

Technical brief and deployment guide for automated DDoS protection on OcNOS with FastNetMon.

Solution Brief · PDF

Affordable Automated DDoS Defense

OcNOS + FastNetMon: detection-to-mitigation in seconds with Flowspec and RTBH — the same architecture Tier-1s use, at a fraction of the cost.

Download → Application Note · PDF · Gated

Automated DDoS Mitigation Deployment

Step-by-step configuration for BGP Flowspec and RTBH on OcNOS with FastNetMon integration — ready-to-deploy reference.

Download →
Get Protected

Protect your network on open hardware.

Talk to our security and networking specialists. We'll walk through your topology, your threat model, and the right Flowspec and RTBH configuration for your environment.

Book a DDoS Demo Download OcNOS VM