Technology

What is nScrub?

nScrub is a “software based”  denial of service mitigation solution that runs using commodity servers and network hardware. This means that the large majority of the logic to stop the attacks runs on software and does not require any highly specialized hardware based on FPGAs or ASICS.

nScrub, provides 10GE full line rate mitigation using commodity hardware. This is possible thanks to PF_RING™ ZC (Zero Copy) , an open source technology framework released in April 2014 by ntop.org as an evolution of their legacy PF_RING DNA.

nScrub is an application built at the top of, PF_RING  a flexible packet processing framework that  allows nScrub to achieve 1/10 Gbit line rate packet processing (both RX and TX) at any packet size.

What are the pre-requirements to run nScrub?

nScrub is a Linux software that runs using a single or multiple CPU cores in a standard server.  One single CPU will be enough to mitigate 1 Gbps attacks, a standard setup for 10 Gbps looks like this:

• OS: A Linux server running CentOS, Debian or Ubuntu.
• CPU: Intel Xeon CPU E3-1230 or higher
• Memory: 16 GB of RAM
• Network cards: For 10 Gbps: Intel 82599/X540/X710-based, for 1 Gbps:  Intel 82575/82576/82580/I350-based or Intel 8254x/8256x/8257x/8258x-based
• Packet Processing Framework: PF_RING/ZC drivers installed
• Mitigation Application: nScrub

How much does it cost to run nScrub?

Apart from the hardware costs (server + network card + SFPs) you will need two different software licenses:   PF_RING and nScrub.

If you need support, consider buying a support package too from Zeyar.

A small hosting provider running nScrub with a 10 Gbps ingress port will need to invest initially 5000 EUR.

The final cost in terms of time invested also depends a lot of your system administration and networking skills.

If you want to run a nScrub in 1 Gbps port you will need to invest around 2000 EUR.

If you are a non for profit, all licenses are FREE.

What does the software license(s) include?

To run nScrub, you need to obtain two different licenses. The first license is to run the network interfaces in PF_RING Zero Copy.  Once you have the PF_RING working, you need a license for nScrub that makes use of those interfaces (opens the interfaces in ZC mode).

Both licenses (PF_RING + nScrub) give you free updates of the components during one year. Once any of the license expires, the systems will keep running but you will not be able to run newer versions.

PF_RING licenses for two 1 Gbps cards are 2×50 EUR and 2×150 EUR for 10 Gbps interfaces.

How is traffic cleaned?

Apart from running the software under a fast packet processing technology, we  have designed more than 20 traffic scrubbing mechanisms to deal with the the majority of denial of service attacks.

nScrub can handle TCP, UDP, DNS and HTTP-based denial of service attacks. 

Can you handle spoofed traffic?

We do. nScrub mitigates all the 3WHS (3-way handshake) attacks.

How much traffic can handle?

A standard setup can clean multi-vector attacks at 10 Gbps full line rate.  If you need to handle bigger amounts of traffic,  nScrub can be also operated as a cluster.

Can I integrate nScrub with other solutions?

Yes, nScrub comes with a fully documented REST API that allows you to configure and monitor the attacks. If you run sensors in your network as honeypots or IDSs, you can easily integrate them in a nScrub-based architecture. In our deployments we have integrated nScrub with real time attack recordings, bgp offramping and nullrouting, CDNs…

Has anyone done this before?

There are a few interesting initiatives based on monitoring network flows to detect attacks and block traffic by means of IP filters or BGP nullroutes. nScrub is not blocking ALL traffic  reaching a  victim of an attack but it is stopping bad traffic only.

To our knowledge  this is the first project of this nature. We are aware of other similar solutions run by large hosting providers based on other fast packet processing frameworks but they are not available for others to deploy.

Is this for real?

Yes, we know how difficult is to evaluate solutions of this type, how the marketplace seems full of websites without price lists and power points showing the evil growth of attacks. We want to be “game changers” and that is why we can offer a free license to non-for-profit organizations and researchers that want to independently benchmark nScrub.  Please get in touch.