07.03.2019 · 2 minutes read

One of Our latest installation - 120Gb\s traffic, RTBH with filtering. Installation was based on Juniper MX204 router.

I would like to present our latest installation with latest Wanguard DPDK engine.


Internet Service and Datacenter provider had contacted ITORO to prepare a quotation for 100 Gb\s DDoS solution.

The network had Juniper switches and two Juniper MX204 routers - capable of 4x 100 Gb\s. Due to many short and bursty DDoS attacks, we have chosen a port mirror approach rather than a JFLOW/IPFIX.This allowed for 4 seconds of detection and mitigation, compared to 60+ seconds of detection and mitigation based on any other xFLOW method.


Since Juniper has BGP FlowSpec feature, we have used this for two main purposes.

First - a FlowSpec redirection of attacked prefix to a DIRTY VRF which is pointing to a Scrubbing center with 3x 40 GE capable filters for fine filtering.

Second - a FlowSpec firewall to drop or rate limit any DDoS amplified traffic directed to the network. FlowSpec is able to drop almost 80% off DDoS amplified UDP floods, leaving our Filter cluster of 3 servers almost nothing. Since some smaller attacks can be mitigated with firewall rules, this allows for very fine scrubbing at minimal cost.

Filtering and mitigation have 3 layers of protection:

  1. FlowSpec firewall rules on Juniper MX204 to drop or rate limit traffic.
  2. Chelsio 2x40GE cards on Filter servers to drop or rate limit traffic.
  3. Blackhole routing as a last line of defense, for any traffic which is outside of available bandwidth.