DDoS attack mitigation with WANGUARD Filter

OVERVIEW: The Filter included in WANGUARD is an anti-DDoS traffic analyzer and intelligent firewall rules generator designed to protect networks from internal and external threats (availability attacks on DNS, VoIP, Mail and similar services, unauthorized traffic resulting in network congestion), botnet attacks, zero-day worm and virus outbreaks.
It includes sophisticated traffic analysis algorithms that are able to detect and side-filter malicious traffic in a granular manner without impacting the user experience or resulting in downtime. It can be used only in conjunction with the Flow Sensor (for NetFlow, sFlow, jFlow or IPFIX) or with the Sniffing Sensor (for In-line Servers, Port Mirroring, Network TAPs).
  • Supports multiple packet filtering backends:
    • Software filtering using the NetFilter system provided by the Linux kernel
    • Hardware-based filtering for 1 or 10 Gbps network cards with Intel's 82599 chipset (Intel X520 NIC, Intel X540 NIC, HP 560 NIC, other vendors)
    • Dedicated firewalls using custom scripts
  • Defends against known, unknown and evolving DoS, DDoS and other volumetric attacks by filtering dynamically any combination of:
    • Source or Destination IP Addresses ( IPv4 or IPv6 )
    • Source or Destination TCP ports
    • Source or Destination UDP ports
    • IP Protocols
    • Invalid IP packets
    • ICMP Types
    • Time To Live ( TTL ) field
    • Packets Lengths
  • Recognises and blocks malicious traffic in under 5 seconds
  • Does not block or blacklist valid customer traffic
  • Does not require network baseline training and operator intervention
  • The Filter system can be deployed in-line or can scrub the malicious traffic by BGP off-ramping
  • The cleaned traffic can be re-injected downstream into the network with Static Routing or GRE / IPIP tunnelling
  • Per endpoint flexible threat management options and an easy to use API for scripting the reaction to attack patterns:
    • alert the NOC staff by email using user-defined email templates
    • email the ISP of the attacker
    • send custom syslog messages to remote log servers
    • capture the attacker's traffic for forensic investigation
    • execute custom scripts that extend the built-in capabilities, such as:
      • configure ACLs or execute PIX "shun" commands to filter attack patterns
      • filter attacking IP addresses by executing “route blackhole” commands
      • send SNMP TRAP messages to SNMP monitoring stations
  • Easy and non-disruptive installation on common server hardware
  • The most cost-effective DDoS protection and DDoS mitigation software solution on the market
DDoS Mitigation
The image above shows our recommended architecture but Sensor(s) and Filter(s) can run on the same server. Servers can be deployed in-line.

  • Out-of-line servers. Filter sends a BGP announcement to the border router or route reflector that sets the Filter's server as next-hop for the suspect traffic. The Filter then blocks the malicious traffic and the cleaned traffic is routed back into the network. The technique used to send only the traffic received by attacked destinations to the filtering server for cleaning is called traffic diversion, BGP off-ramping, sink hole routing, side filtering etc.
  • In-line servers configured as routers. Filter runs on a server that resides in the main data-path, configured as an OSI Layer 3 router.
  • In-line servers configured as network bridges. Filter runs on a server that resides in the main data-path, configured as an OSI Layer 2 network bridge.
  • Servers connected to network taps or mirroring ports. Filter runs on a server that receives a copy of packets from a network tap or a mirroring port. Direct filtering is not possible, but the Filter is able to generate filtering rules that improve the visibility of attacks and can be applied on other in-line appliances or firewalls.


DDoS Mitigation Capacity    1 Gbps interface 10 Gbps interface
Architecture x86 ( 32 or 64 bit ) x86 ( 64 bit )
Core x CPU 1 x Xeon 2.5 GHz or 1 x Opteron 1.8 GHz 4 x Xeon 2.4 GHz
Network Cards 1 x Gigabit Ethernet with NAPI support
1 x Gigabit Ethernet
1 x 10 GbE card (Intel 82599 chipset recommended)
1 x Gigabit Ethernet
Operating System* RHEL / CentOS 5, RHEL / CentOS 6, OpenSUSE 12, Debian Linux 6, Ubuntu Server 12 RHEL / CentOS 5, RHEL / CentOS 6, OpenSUSE 12, Debian Linux 6, Ubuntu Server 12
Disk Space 10 GB ( including OS ) 10 GB ( including OS )
* Other Linux distributions might work but haven't been tested yet.


The two traffic filtering methods directly supported by the Filter complement each other performance-wise and feature-wise:
  • The software firewall is very flexible but it might not be fast enough to handle a full 10 GbE link, especially when dealing with small packets.
    The Filter doesn't use the connection tracking system specific to stateful firewalls. This ensures a much better filtering and routing performance. But we can't estimate the filtering performance you're going to get since the packet filter's capacity depends on many parameters: CPU type/speed/cache, Linux kernel version, NIC chipset, NIC driver, attack type, server load, routed traffic size, multi-core balancing of hardware interrupts, number of existing rules etc.
    You can find several iptables benchmarks on the web, but most of them are not related to stateless filtering.
  • The hardware packet filter is able to drop 10G traffic at wire-speed without any CPU usage. Currently it's only able to filter IP addresses (sources or destinations) so it's not efficient against attacks from random IP addresses. Counters for the number of dropped packets are not available.
If a DDoS attack saturates the uplink bandwidth or it's above the capacity of the filtering server(s), then the Sensor is able to BGP black-hole/null-route the attacked destinations.
Multiple filtering servers can be deployed in a cluster-like architecture, when the packets are load-balanced (round-robin).


You can download and try the Filter for 30 days by requesting an evaluation license.
WANGUARD Filter licenses can be purchased directly from our on-line store.
The answers for several frequently asked questions are listed in the Knowledge Base.
If you have any questions or requests, please don't hesitate to contact us.