WanGuard Anti-DDoS

WanGuard DDoS Detection & Mitigation — deployed and tuned by ITORO

WanGuard by Andrisoft is a carrier-grade anti-DDoS system that detects attacks in seconds and mitigates them with BGP FlowSpec, RTBH black-holing, or redirects hypervolumetric DDoS attacks to a scrubbing center. As an Andrisoft Gold Partner, ITORO installs, tunes and operates it for ISPs / DCs and enterprises worldwide.

2–5s
Port-mirror detection
Mirror-based, DPDK
15–30s
End-to-end mitigation
RTBH / FlowSpec, tuned
35–95s
Other systems
sFlow / NetFlow / IPFIX

Beyond ~65s uplinks saturate — by then users have already lost access. Speed is the whole game.

See pricing Talk to an engineer

What is WanGuard

A complete DDoS protection platform

WanGuard combines high-speed traffic monitoring, anomaly detection and automated mitigation into one on-premise system you fully control. We can enable third-party mitigation such as scrubbing-center fail-over, Web Application Firewall (WAF) protection, or other layers to build multi-vector protection.

WanGuard Sensor

Ingests port-mirrored packets or NetFlow/sFlow, builds per-IP traffic baselines and detects volumetric and protocol attacks in under 5 seconds.

WanGuard Filter / WanFilter

DPDK-accelerated packet filtering scrubs only the malicious traffic — scaling from 1 Gbps to 800 Gbps per sensor port without dropping clean traffic.

WanGuard Console

Central management, dashboards, reporting and alerting with long-term sFlow/IPFIX/NetFlow analytics and capacity planning.

How it works
WanGuard with RTBH or BGP FlowSpec: a BGP update with FlowSpec firewall rules is sent to your routers so matched attack traffic is dropped at uplink interfaces (or at your Tier 1-2 provider) before hitting your network; WanGuard detects via port-mirror/sFlow, and RTBH or edge FlowSpec can also be sent upstream.

Quick response

FlowSpec pushes filtering rules network-wide in seconds, stopping attacks before they reach their targets.

Precise filtering

Rules target malicious traffic by IP, protocol, port and packet characteristics — legitimate traffic passes through unaffected.

Runs on your routers

Uses existing BGP-capable routers (Cisco, Juniper, Arista, Huawei, Nokia) — no dedicated appliance to buy.

Scalable

Applied globally or to selected network segments; scales with your existing BGP infrastructure.

Zero-downtime deploy

ITORO deploys BGP FlowSpec with no maintenance window — no service disruption during installation.

Lower cost

Leverages your routers instead of dedicated DDoS hardware, reducing total cost of ownership.

Attacks we stop

Built for the attacks ISPs actually see

WanGuard, tuned by ITORO, defends against the full range of volumetric and protocol DDoS — the categories below cover the vast majority of real-world incidents.

Volumetric floods

High-rate UDP, ICMP and IP floods that try to saturate your uplinks.

Amplification / reflection

NTP, DNS, CLDAP, CHARGEN, SSDP, memcached, SNMP and similar reflected vectors.

Carpet-bomb

Attacks spread across many destination IPs in a prefix — detected per-IP, not just per-service.

Fragmentation

IP/UDP fragment floods designed to slip past sampled flow-based systems.

TCP state-exhaustion

SYN, ACK and connection-flood attacks against stateful devices.

DNS & application layer

DNS query floods are mitigated (DNS security via DNSdist). Application-layer (L7) attacks we drop or rate-limit rather than fully stop — WanGuard is L3/L4 volumetric mitigation, not a web application firewall.

Mitigation methods

RTBH, BGP FlowSpec and WanFilter — the right tool per attack

BGP FlowSpec filtering

Granular, hardware-rate filtering pushed straight to Cisco/Juniper/Arista line cards — drops only attack traffic, keeping the service online.

RTBH black-holing

Remotely Triggered Black Hole drops all traffic to a targeted IP at your upstreams — the fallback when an attack is too large to filter granularly.

WanFilter scrubbing

Surgical DPDK packet scrubbing, deployed inline or as an off-ramp filter. Use it when your routers aren't BGP FlowSpec-capable, or as an extra layer of filtering on top of FlowSpec — protecting specific services rather than black-holing the whole IP.

Layered automation

FlowSpec/WanFilter first, RTBH as a fallback when uplinks approach saturation — fully automatic, with alerts to your NOC.

Honest scope · what we can & cannot block

Mitigation has limits — and we are honest about them

Within your uplinkFiltered on-net — WanGuard + Juniper MX · BGP FlowSpec · RTBH
Beyond the pipeRedirect to external scrubbing

Your uplink capacity is the hard ceiling — we cannot filter more than the link carries.

What we mitigate

  • Everything WanGuard + Juniper MX can act on — within your uplink bandwidth.
  • Always-on stateless MX filtering: anti-spoofing, anti-amplification, rate-limits, CoPP.
  • Dynamic BGP FlowSpec and RTBH activated the moment an attack is detected.
  • Granular filtering keeps your customer online — RTBH only as a last resort.

Where we escalate — honestly

  • Mitigation is bounded by uplink capacity — we cannot filter more than the link carries.
  • BGP FlowSpec only blocks what a rule can express — some randomized or adaptive floods cannot be filtered.
  • When traffic exceeds your uplink or cannot be filtered, we escalate to a terabit-scale external scrubbing center.
  • We tell you upfront what we cannot block — that is the brand, not a disclaimer.
Why ITORO

An Andrisoft Gold Partner that runs WanGuard every day

  • Complete installation, BIOS/OS/NIC tuning and staff training.
  • Realistic per-IP thresholds that catch attacks without false positives.
  • BGP, RTBH and FlowSpec configured on your routers and upstreams.
  • Managed support is always part of the deployment — from NBD email cover to full outsourced administration. The first year ships with the product.

Deployment, end to end

The exact steps ITORO follows to take you from bare servers to a tuned, production WanGuard deployment.

Installation
Install WanGuard Console, Sensor and Filter software (the Filter ships together with the Sensor).
Install a traffic-filtering card on the traffic-filtering servers.
Tune the Debian system: CPU governor, disk scheduler, sysctl parameters, GRUB.
WanGuard settings
Connect the WanGuard components on the primary server (Sensor / Filter).
WanGuard Filter configuration: filtration parameters and additional protection against link overflow (additional service).
Add client IP subnets and set DDoS attack thresholds.
Final phase
Traffic filtering, then RTBH as a last-resort action.
Set up email notifications, reports and alerts from WanGuard.
Set the initial traffic-filtering thresholds (customer consultation required).
Scripted archiving of the WanGuard system, with a copy on the ITORO server (option for customers with ITORO support packages).
Operator training: system operation, alert interpretation and day-to-day management.
Production launch

See pricing

Pricing

Transparent, from €2,500 one-time

Two standard scenarios cover most deployments. One-time deployment (first server includes install, training and a month of fine-tuning); WanGuard licenses are annual. Build a full itemised quote in the calculator.

Scenario 1 · entry
from €2,500

RTBH only — fastest, cheapest way to stop volumetric attacks by black-holing the target.

  • 2×10GE port-mirror sensor, <5s detection
  • BGP RTBH on your routers/upstreams
  • Blackhole-only mitigation
Scenario 2 · standard
from €3,000

RTBH + BGP FlowSpec — granular filtering that keeps the service online, with RTBH as fallback.

  • Everything in Scenario 1
  • BGP FlowSpec granular filtering + WanFilter
  • Scales to 40/100/400GE sensors

Open the full pricing & calculator

WanGuard FAQ

Common questions

Is WanGuard better than cloud DDoS protection?

WanGuard is on-premise: traffic never leaves your network, detection is faster, and cost is predictable. It complements upstream cloud scrubbing for very large volumetric attacks.

How fast does WanGuard detect a DDoS attack?

With port-mirror sensing, typically 2 to 5 seconds; with NetFlow/sFlow, 35–95 seconds depending on export intervals.

What hardware do I need?

A BGP-capable router, a switch or router that can export flows (sFlow, NetFlow, IPFIX) or mirror traffic, and — for a port-mirror sensor — a server sized to the port speed you want to mirror, anywhere from 1 to 400 Gbps. ITORO recommends the exact spec.

Can ITORO run WanGuard for us?

Yes — our Gold/Platinum support tiers cover monitoring, threshold tuning, changes and even full administration.

Should we deploy inline or out-of-band?

Our preferred method is out-of-band (off-ramp) with a filtering VRF — detection and scrubbing never sit permanently in the data path, so there is nothing to fail. An inline filter is also supported, but it has one drawback: if it is placed in a bridge or directly in the data path, a restart or service event can briefly affect traffic. Off-ramp filtering avoids that entirely.

How long does deployment take?

A first server includes install, BIOS/OS/NIC tuning, training and a month of fine-tuning. In practice most deployments go live in one to two weeks — provided the equipment, server and BGP are ready and your team has time for the training. We can also deploy while you are under active attack; that sometimes means bringing protection up over an alternative data path (for example a cellular link) to reach the data center or ISP being hit.

How does it handle encrypted (TLS) attacks?

TLS attacks are Layer-7. WanGuard operates at Layer 3/4 — BGP FlowSpec, RTBH black-holing and edge FlowSpec — and does not inspect encrypted payloads without certificates installed. It is not a web application firewall; it is volumetric DDoS mitigation software that absorbs the flood by traffic behavior (rate, sources, packet characteristics).

Does it integrate with our existing infrastructure?

Yes. WanGuard drives your existing BGP-capable routers (Juniper, Cisco, Arista, Huawei, Nokia) — no forklift upgrade. A Juniper MX makes an excellent always-on line-rate filtering gateway, and Juniper streaming telemetry feeds Grafana for visibility — both available as additional products in our portfolio.

Can it scale as our bandwidth grows?

Sensors scale from 2×10GE to 400GE per server, you can add sensors and POPs, and flow/sFlow detection scales to Terabit across many routers. Mitigation via BGP FlowSpec runs at your routers’ line rate.

How does the cost compare to cloud scrubbing?

WanGuard is a one-time deployment plus annual licenses and optional support — no per-Gbps scrubbing fees that spike with attack size. Costs are predictable, and your traffic never leaves your network.

What visibility do we get beyond attack alerts?

Live dashboards, per-incident reports and long-term analytics — plus optional Juniper MX Telemetry into Grafana for real-time edge and mitigation views your NOC can watch during an attack. Regulatory (NIS2) reporting is scoped and tuned to your country's requirements under the ITORO emergency package, agreed with sales.

What types of DDoS attacks can it stop?

Volumetric floods (UDP/ICMP), amplification/reflection (NTP, DNS, CLDAP, memcached and more), carpet-bomb, fragmentation, TCP state-exhaustion (SYN), and DNS floods. Application-layer (L7) traffic is dropped or rate-limited rather than fully stopped. For more information, contact sales.

Ready to stop DDoS attacks before they land?

Get a WanGuard deployment sized and tuned for your network.

Contact ITORO