DDoS Protection
- Real-time traffic analysis — supports NetFlow v5/v9/IPFIX, sFlow, and PCAP
- Hierarchical detection thresholds — at network, protocol, port, and TOS levels
- Country Risk Scoring — traffic weighting based on the source country risk profile
- Automatic mitigation — BGP blackholing with community tagging and FlowSpec integration — multi-vendor support
- White/Blacklist management — IP whitelisting and blacklisting
- Various attack types support — volumetric, protocol, and application-layer attacks
- Egress spoofing monitor (BCP38) — detection of forged-source traffic leaving your network, with source-MAC attribution pinpointing the offending port
- SYN-ACK reflection detection — identifies your own hosts being abused as reflection victims, with guidance to divert rather than blackhole
- Configurable detection rules (no-code) — thresholds and rules managed from the admin panel, no code changes; built-in rule library (brute force, port scan, SYN flood, DNS abuse, and more)
- Shape-aware response — single IP → RTBH blackhole, distributed attack → BGP diversion, low volume → FlowSpec; alert-only by default until an operator enables a rule
- What-If simulator — preview the blackhole and scoring outcome before any action is taken
BGP FlowSpec (ExaBGP v5)
Surgical mitigation without blackholing — BGP FlowSpec rules (RFC 5575) injected directly to upstream peers. Drop or rate-limit only the attack traffic, while legitimate traffic to the same IP continues uninterrupted.
- Per-flow rules — match by destination/source prefix, protocol, port, TCP flags, DSCP, and fragmentation
- Drop / rate-limit actions — null-route only matching flows or limit kbps per BGP neighbor
- Per-threshold mitigation mode — blackhole, flowspec, both, or none
- Non-blocking injection queue — the detection pipeline never waits for BGP announcements
- Automatic withdrawal — rules expire after a configurable lifetime once the threat subsides
- Full per-neighbor, per-rule status — pending / active / withdrawn / failed, with manual inject/withdraw controls
- exabgp.conf generator — one-click config preview and write, plus a real-time CLI connectivity test
- No scrubbing center — no extra fees or third-party licensing
BGP Traffic Diversion
Redirect attacked prefixes to a scrubbing path or alternative path without complete blackholing. Support for multiple routing platforms.
- Three diversion mechanisms — Withdraw, Prefix-List, Route-Map
- Audited SSH — execution of SSH commands with live output preview
- Auto-Trigger — automatic diversion policy activation upon distributed attack detection
- Auto-Revert — automatic policy rollback after a configurable time window
- CIDR Confirmation — mandatory CIDR range confirmation gate
- Per-peer selection — select from which eBGP peers to withdraw the prefix
- One-click Divert — direct button in the Distributed Alerts dashboard
- Policy duplication — copy a policy to multiple routers with one click
- Event history — full audit trail with SSH output
- Intelligent selective advertisement — the attacked prefix stays reachable through critical peers (Google, Meta, Akamai, Amazon, Cloudflare) via a maintainable ASN allowlist, and is withdrawn only from everyone else
- Multi-vendor — Linux FRR, Huawei NE8000 (VRP), and Cisco ASR (IOS-XE)
SIEM and NIS2 Compliance
- Incident reporting — compliant with Art. 23 NIS2, tracking 24h / 72h / 1 month deadlines
- Policy management — versioned security policies
- Risk management — risk assessment framework with a scoring system
- Training log — security training tracking
- Audit logs — tamper-evident logging of all security actions
- Log collection — Syslog collector (RFC 3164/5424) for multi-vendor devices
- Multi-vendor parsers — dedicated parsers for Juniper JunOS (UI_COMMIT, UI_AUTH, BGP session states, link up/down), Cisco IOS/IOS-XE, and Linux syslog, with a generic RFC 3164 fallback
- Correlation — link syslog events with NetFlow/sFlow traffic data
- Rule engine — PCRE pattern matching with severity levels
- Notifications — real-time alerts via email and webhook
BGP and Peering Management
- Configuration sync — agentless — direct SSH config pull from Huawei NE8000, Cisco ASR, and Juniper MX routers, plus agent-based sync for Linux FRR
- Dynamic peer mapping — automatic BGP neighbor to physical interface matching
- Diagnostics — automatic ARP, interface connectivity checks
- Bandwidth monitoring — per-interface bandwidth charts with VLAN-tagged flow support
- Route-map / policy analysis — match/set clauses, local-pref, and prepend visualization across FRR, NE8000, ASR, and Juniper MX (including default vs. community-triggered prepends)
- Billing and bandwidth — 95th percentile, CIR, and PIR tracking per peer
- SSH Terminal — secure, audited web access to routers
- Configuration backup — versioned backups with unified diff
- Routing table — efficient full table (1M+ routes) handling
Network Monitoring (NMS)
- SNMP interface monitoring — per-interface counter polling (bits/packets, errors, utilization) with historical trend charts
- Per-device dashboards — interface tables and link status at a glance
- Service & uptime checks — track availability of monitored services with full result history
- Time-series storage — interface counters and check results persisted in TimescaleDB for long-term trending
Network Vulnerability Scanner
- CVE Detection — Nmap-based scanning with vulnerability detection
- Port scanning — monitoring of 55+ high-risk ports
- Parallel processing — batch engine for large network ranges
- SIEM integration — vulnerabilities automatically generate security events
- Reports — automated email reports grouped by severity
Customer Portal (ISP/IXP Edition)
- Traffic visibility — customers see their own network traffic charts and stats
- DDoS alerts — attack history on customer prefixes
- PDF Reports — downloadable security reports
- Data isolation — strict data separation based on assigned CIDRs
Network Traffic Analysis
- Multi-protocol support — NetFlow v5/v9/IPFIX, sFlow, PCAP
- Advanced search — filtering by IP (CIDR), port, protocol, ASN, geolocation, and time range
- Top talkers — identification of largest traffic sources
- Interactive visualization — Grafana-style zoom
- Sankey diagrams — network traffic distribution visualization
- Forensic analysis — on-disk flow log searching (nfdump)
- CGNAT Lookup — reverse-lookup of NAT translations
- Data export — CSV, JSON, PDF
AI Assistant
- Natural language queries — questions about network status, historical analysis, trend identification
- Automated troubleshooting — diagnostic and operational support
- MCP integration — extensible tool system: Traffic Search, CGNAT Lookup, BGP Status, Vulnerability Analysis
- Supported AI backends — ITCare AI API and internal secure network AI servers