Network-Level DDoS
Mitigation & Monitoring
CoreDetection analyses live network traffic from flow telemetry to detect DDoS attacks in near real time and triggers mitigation actions based on operator-defined rules and workflows. A 3-layer Smart Detection engine scores every candidate event — rhythm, fingerprinting, and attack memory — then applies ASN trust, per-prefix baselines, and consensus weighting before BGP or alerts fire. Engineers retain full control over how, when, and where response is applied.
From Flow Export to Auto-Response
Routers Export Flows
Your border routers send NetFlow, IPFIX, or sFlow directly to CoreDetection. No inline tap, no packet-path changes — out-of-band deployment on commodity hardware.
Smart Detection Analysis
Thresholds surface candidate events. The 3-layer engine scores each one — rhythm, fingerprinting, attack memory — then applies ASN trust, baselines, and consensus weighting.
Dashboard & Reports
Every confirmed event appears on your operations dashboard with rhythm, fingerprint, and memory score breakdown. Attack history is stored and exportable as JSON or CSV reports.
BGP / Alerts Response
Confirmed attacks trigger BGP blackhole, FlowSpec (drop/rate-limit/redirect/mark), or IP blocklist enforcement automatically. Telegram, email, and webhooks fire simultaneously — all logged in your dashboard.
How CoreDetection Detects DDoS Attacks
CoreDetection ingests traffic telemetry from routers, switches, and virtual networks using standard, widely supported methods. Thresholds surface candidate events; Smart Detection then scores each one through three analysis layers with supporting signals for ASN trust, baselines, and pseudo-L7 inference.
Detection thresholds are fully configurable, allowing engineers to tune sensitivity based on network characteristics and historical attack patterns. No packet payload inspection — scalable and vendor-agnostic.
Telemetry Sources
Metrics Monitored
- →Bandwidth utilisation
- →Packets per second (PPS)
- →Flow count
- →Smart Detection score (0–100)
Near-Instant Detection
Attack Types Detected
- ✓UDP, TCP and ICMP flood attacks
- ✓SYN, SYN-ACK and FIN floods
- ✓Fragmentation-based IP protocol attacks
- ✓DNS, NTP, SSDP, SNMP amplification
- ✓Multi-vector attacks combining multiple techniques
3 Analysis Layers
+ Supporting Signals
The engine runs three independent layers on every candidate event, then applies consensus weighting, ASN trust, baselines, and pseudo-L7 inference to produce a final score 0–100. Score ≥70 confirms an attack.
Rhythm Analysis
Does this traffic move like an attack?
Analyses 61-second traffic samples for variance, smoothness, and burst patterns. Erratic spikes score high; gradual legitimate ramps score low.
Traffic Fingerprinting
Do these sources look like a botnet?
Maps source IP clustering, ASN diversity, and geographic dispersion. Includes trusted-ASN score adjustment to reduce false positives on CDN and peer traffic.
Attack Memory
Have we seen this attack before?
Stores signatures of confirmed attacks (up to 1,000). New events matched at 85%+ similarity get instant high-confidence recognition.
Supporting Signals
Applied after the three core layers — these refine the final score but are not separate analysis layers.
Weighted Consensus
Weighted scoring across rhythm, fingerprint, and memory — strong signals (≥70) override weak ones instead of a flat average.
Trusted ASN Override
Operator-configured trusted ASNs can veto false positives when traffic is predominantly from verified legitimate sources.
Behavioral Baselines
Per-prefix exponential moving average learns normal Gbps, PPS, and source counts — reduces score for in-range traffic, boosts for abnormal spikes.
Pseudo-L7 Inference
Classifies HTTP floods, Slowloris, and amplification patterns from flow metadata — enriches attack type and can boost the final score.
From Detection to Mitigation
Detection is the foundation of effective DDoS mitigation. Once Smart Detection confirms an attack (score ≥70), CoreDetection automatically triggers mitigation workflows using standard network mechanisms — configured separately and activated only when thresholds are exceeded.
BGP BlackHole / RTBH
Drop all traffic to attacked prefixes upstream — applied only when Smart Detection confirms HIGH confidence (score ≥70).
BGP FlowSpec Filtering
Target specific protocols, ports, or packet characteristics — preserve legitimate traffic during multi-vector attacks.
Telegram, Email & Webhooks
Instant NOC alerting on attack START, UPDATE, and END with full telemetry payload.
Manual Override via API
Announce, withdraw, or inspect BGP routes in real time from dashboard or REST API.
Four Modules, One Appliance
Smart Detection Engine
CoreDetection ingests NetFlow, IPFIX, and sFlow from your routers. When traffic crosses thresholds, Smart Detection runs three analysis layers — rhythm, fingerprinting, and attack memory — producing a weighted confidence score before any action is taken.
Rhythm Analysis
Analyses traffic cadence and burst patterns from 61-second samples — erratic spikes vs smooth ramps.
Traffic Fingerprinting
Maps source clustering, ASN diversity, and geo dispersion — with trusted-ASN score adjustment.
Attack Memory
Recognises repeat campaigns at 85%+ similarity — instant high-confidence alerts for known patterns.
Automated Mitigation
Built-in GoBGP speaker announces blackhole routes or FlowSpec rules when Smart Detection confirms HIGH confidence (score ≥70). Mitigation uses standard routing mechanisms already present in your network.
BGP Blackhole (RTBH)
Announce /32 host routes with blackhole community to drop attack traffic at the network edge instantly.
BGP FlowSpec (RFC 5575/8955)
Drop, rate-limit, scrubbing redirect (accept/nexthop), RT redirect, or DSCP mark — with TCP flag and fragmentation matching.
IP Blocklist
Ingest threat-intelligence feeds (HTTP/HTTPS/local file) and enforce source-prefix drops via FlowSpec automatically.
Manual Override
Full BGP route management via REST API or dashboard — announce, withdraw, or inspect routes in real time.
Dashboard & Reports
Built-in operations dashboard with live attack monitoring, Smart Detection score breakdown (rhythm / fingerprint / memory), prefix intelligence, and exportable forensic reports.
Live Attack Monitor
Real-time view of active attacks with severity, bandwidth, and rhythm/fingerprint/memory scores.
Forensic Reports
Full attack history exportable as JSON or CSV. Query by target, severity, date, or attack type.
Alert Center
Telegram, email, and webhook event log with attack lifecycle tracking (START / UPDATE / END).
REST API & Alerts
Full REST API at /CoreDetection/api/v0 for runtime config, attack reports, and BGP management. Push alerts to Telegram, email, or webhooks — integrate with existing SOC workflows.
RESTful API
Configure thresholds, Smart Detection, BGP, alerts live — no restart required.
Telegram & Email
Direct alerting on attack START, UPDATE, and END events with full telemetry payload.
SIEM Integration
Webhooks and CSV/JSON export for Grafana, ELK, Prometheus, or custom SOC dashboards.
Monitor. Analyze. Report.
Full operations dashboard — no external portal or paid add-on. Live attacks, Smart Detection score breakdowns, BGP control, and exportable forensic reports.
Live Attack Monitor
Real-time view of active attacks, severity, bandwidth, and Smart Detection scores.
Prefix Intelligence
Per-prefix traffic baselines, anomaly trends, and detection history.
BGP Control Panel
Session status, announced routes, blackhole and FlowSpec actions.
Attack Reports
Full forensic history — export as JSON or CSV, query by date, target, or severity.
Smart Detection Insights
Rhythm, fingerprint, and memory score breakdown with attack memory matches.
Alert Center
Telegram, email, and webhook event log with lifecycle tracking.
Designed for Network Engineers
Full REST API at /CoreDetection/api/v0 on port 9009. Configure Smart Detection, pull reports, and manage BGP without restart.
No proprietary hardware or vendor-specific dependencies required — standard flow export protocols and BGP integration into existing infrastructure.
- ✓ISPs and telecom operators
- ✓Data centres and hosting providers
- ✓Cloud and hybrid infrastructure operators
- ✓Enterprises with high-value online services
Built For Your Network
ISPs, data centers, enterprises, and hosting providers — same Smart Detection engine, same dashboard, your infrastructure.
ISPs & Carriers
Monitor customer prefixes from flow telemetry. Auto-blackhole attacked /32s and alert your NOC.
- ✓Multi-Prefix Monitoring
- ✓BGP Auto-Mitigation
- ✓Smart Detection
Data Centers
Detect volumetric floods targeting hosted customers before they saturate your uplinks.
- ✓Prefix-Level Detection
- ✓FlowSpec Filtering
- ✓Dashboard & Reports
Enterprises
AI-powered detection on your own network — full data sovereignty, no cloud dependency.
- ✓On-Premises Deploy
- ✓Offline License
- ✓Attack Reports
Hosting Providers
Protect tenant IP ranges with automated BGP response and per-customer prefix monitoring.
- ✓Multi-Tenant Prefixes
- ✓Webhook Alerts
- ✓Smart Detection
Ready to Deploy?
Install CoreDetection, point your routers, and start detecting with Smart Detection — dashboard and reports included.