July 11, 2026 · 7 minutes read

WanGuard is Andrisoft's carrier-grade anti-DDoS system — sub-5-second detection with BGP FlowSpec and RTBH mitigation. Here's how it works, and how ITORO deploys it.

WanGuard is a carrier-grade anti-DDoS system from Andrisoft that detects volumetric attacks in seconds and mitigates them on your own network using BGP FlowSpec, RTBH black-holing, or DPDK packet scrubbing. It runs on commodity servers you control — no traffic rerouting to a cloud scrubbing center — which is why ISPs, telecoms and data centers use it to stop attacks before customers notice.

Key takeaways
WanGuard = detection + mitigation on-premise: it sees your traffic, identifies the attack, and drops it at your edge routers.
Three parts: the Sensor (detects), the Filter / WanFilter (scrubs), and the Console (the web control plane).
Two detection modes: port-mirror (DPDK) for sub-5-second reaction, or flow (NetFlow/sFlow/IPFIX) for cheaper, Terabit-scale coverage.
Mitigation: BGP FlowSpec (surgical, line-rate), RTBH (last-resort black-hole), or WanFilter scrubbing.
– ITORO is an Andrisoft Gold Partner that installs, tunes and operates it for you.


What is WanGuard?

WanGuard is Andrisoft’s software-based anti-DDoS platform for network operators. It combines real-time traffic monitoring, automatic DDoS detection, and automated mitigation into one system that runs on standard Linux servers at your own edge — so you own the hardware, the data path, and the response. It protects the whole network, not a single hosted application.

Unlike a cloud scrubbing service, WanGuard doesn’t reroute your traffic to a third party. It watches the traffic already flowing through your network, recognizes an attack in seconds, and instructs your routers to filter it. That on-premise model is the core of ITORO’s WanGuard anti-DDoS deployments for ISPs, telecoms and data centers.

Why DDoS protection matters for network operators in 2026

DDoS attacks are getting bigger and faster, and telecoms and service providers are now the single most-targeted sector. In its Q4 2025 report, Cloudflare said DDoS attacks rose 121% year over year, that it auto-mitigated an average of 5,376 attacks per hour, and that it blocked a record 31.4 Tbps flood that lasted just 35 seconds — with telecommunications, service providers and carriers the most-targeted industry for hyper-volumetric attacks. (Cloudflare Q4 2025 DDoS Threat Report, Feb 2026.)

NETSCOUT’s parallel data agrees: more than 8 million DDoS attacks were recorded in the second half of 2025 across 203 countries, with roughly 42% using two to five attack vectors at once and telecom among the hardest-hit sectors. (NETSCOUT DDoS Threat Intelligence Report, Issue 16, Mar 2026.)

The takeaway for operators: attacks now saturate uplinks in tens of seconds, so detection speed is the whole game — which is exactly what WanGuard is engineered for.

WanGuard components: Sensor, Filter, and Console

WanGuard is built from three cooperating components, each of which can scale independently across your network:

  • WanGuard Sensor — the detection engine. It ingests traffic (via packet capture or flow data), builds a per-subnet baseline of “normal,” and raises an anomaly the moment traffic deviates. It comes in two flavors: a Packet Sensor (mirrored traffic) and a Flow Sensor (router-exported flows).
  • WanGuard Filter (WanFilter) — the mitigation engine. When an attack is confirmed, it applies granular packet-level filtering — deployed inline or as an off-ramp scrubber — to drop attack traffic while legitimate traffic passes.
  • WanGuard Console — the multi-tenant web GUI. It’s the administrative hub where you see live dashboards, manage sensors and filters, configure thresholds, and pull post-incident reports.

(Component names and capabilities per the official Andrisoft WanGuard documentation.)

How WanGuard detects DDoS attacks

WanGuard detects attacks by continuously profiling your traffic and firing an alert when a subnet’s rate, packet mix, or protocol distribution breaks its learned baseline. The biggest choice you make is the collection method, because it sets your detection speed and cost:

Port-mirror (DPDK) — fastest

A Packet Sensor inspects a copy of your traffic via a port mirror / SPAN, using high-speed DPDK capture. It sees 100% of packets at line rate, so it reacts in under 5 seconds — ideal for carpet-bomb and volumetric floods on 100–400GE links. In ITORO’s deployments, port-mirror detection is what makes sub-5-second RTBH and 15–30-second granular filtering possible.

Flow (NetFlow / sFlow / IPFIX) — broad and cheap

A Flow Sensor analyzes sampled flow records your routers already export — NetFlow, sFlow, and IPFIX. It’s bandwidth-independent, covers many POPs from one place, and scales to Terabit volumes at low cost, but because it samples, detection typically takes 35–95 seconds and is coarser. It’s the right tool for very large, distributed edges where per-packet capture everywhere isn’t practical.

Most operators run a mix: DPDK port-mirror where speed matters most, flow everywhere else. Pairing detection with Juniper MX telemetry gives your NOC a live view of both the attack and the mitigation.

How WanGuard mitigates attacks

Once WanGuard confirms an attack, it triggers mitigation automatically and layers the right tool to the threat:

  • BGP FlowSpec — the surgical option. WanGuard pushes granular, 5-tuple filter rules straight to your routers’ forwarding plane, so only the malicious flows are dropped or rate-limited at line rate while the service stays online. This is the primary method on a modern edge and the basis of the Juniper MX filtering gateway.
  • RTBH (Remotely Triggered Black Hole) — the last resort. It advertises the victim address with a black-hole community so upstream routers null-route it. RTBH sacrifices the single targeted IP to save the rest of the network, so WanGuard uses it only when an attack is too large to filter granularly.
  • WanFilter scrubbing — surgical DPDK packet scrubbing, inline or off-ramp, for cases where your routers aren’t FlowSpec-capable or you need an extra filtering layer on top of FlowSpec.

The automation layer chains these together: filter first, black-hole only if uplinks approach saturation — fully automatic, with alerts to your NOC.

WanGuard vs cloud scrubbing

WanGuard filters attacks on your own network; a cloud scrubbing service reroutes your traffic to a third-party data center first. The on-premise model reacts faster (no redirection latency), keeps traffic and customer data inside your network — important for regulated operators and NIS2 — and carries no per-Gbps metered bill that scales with attack size.

The one honest limit: on-premise mitigation is bounded by your uplink capacity — you can’t filter more than the link carries. For hypervolumetric floods beyond the pipe, WanGuard deployments escalate to an external scrubbing center as a fallback. ITORO tells customers this upfront; it’s the brand, not a disclaimer.

Why deploy WanGuard with ITORO

WanGuard is powerful, but its accuracy depends on tuning — per-subnet baselines, exclusions for known heavy customers, thresholds, and clean naming. Get that wrong and you get false positives; get it right and you get accurate, automatic protection. ITORO is a worldwide Andrisoft Gold Partner built on 25+ years of ISP and network operations (20+ years with Juniper), and we install, tune and operate WanGuard as a managed service — end to end, at the same price worldwide.

See how a full deployment fits together on the WanGuard anti-DDoS page, or get an itemized estimate on Plans & Pricing.

Frequently asked questions

Is WanGuard a cloud scrubbing service?

No. WanGuard is on-premise, self-hosted software that runs on your own servers, so you keep full control of your traffic and data — no rerouting to a third-party scrubbing center and no per-Gbps cloud fees. ITORO installs, tunes and supports it on your infrastructure.

How fast does WanGuard detect a DDoS attack?

It depends on the collection method. Port-mirror (DPDK) detection reacts in under 5 seconds because it inspects every packet at line rate. Flow-based detection (NetFlow/sFlow/IPFIX) samples router-exported traffic, so it typically detects in 35–95 seconds but scales to Terabit volumes cheaply.

What’s the difference between BGP FlowSpec and RTBH in WanGuard?

BGP FlowSpec drops or rate-limits only the malicious flows at line rate, keeping the service online. RTBH black-holes all traffic to the targeted IP — it sacrifices one address to protect the network, so WanGuard uses it only as a last resort when an attack is too large to filter granularly.

What are WanGuard’s components?

WanGuard has three: the Sensor (detects attacks from mirrored packets or flow data), the Filter / WanFilter (scrubs attack traffic inline or off-ramp), and the Console (the multi-tenant web GUI for dashboards, configuration and reporting).

Who is WanGuard for?

WanGuard is built for network operators — ISPs, telecoms, hosting providers and data centers — that carry their own traffic and need to protect the whole network rather than a single website. In 2025 these were the most-targeted sector for hyper-volumetric DDoS attacks (Cloudflare, Feb 2026).


Sources
– Cloudflare — Q4 2025 DDoS Threat Report (Feb 2026): https://blog.cloudflare.com/ddos-threat-report-2025-q4/
– NETSCOUT — DDoS Threat Intelligence Report, Issue 16 / 2H 2025 (Mar 2026): https://www.netscout.com/threatreport/
– Andrisoft — WanGuard product & documentation: https://www.andrisoft.com/software/wanguard