Skip to main content

DDoS Protection

DDoS protection on NetActuate is integrated directly into the BGP and anycast infrastructure. Rather than existing as a separate service, DDoS rules are attached to your BGP and anycast groups, so mitigation actions are applied at the network level where your traffic enters.

Rules

The Rules tab shows the DDoS rules active on your account. This view is read-only — DDoS rules are configured and managed by the NetActuate operations team. To request changes to your DDoS rules, open a support ticket or contact your account manager.

Each rule specifies:

  • Action on attack detection — what mitigation to apply when an attack is identified (e.g., scrubbing, rate limiting, blackholing)
  • Action on attack conclusion — what to do when the attack ends (e.g., restore normal routing)
  • Assigned prefixes — which IP prefixes the rule applies to

Rule Scope

DDoS rules can be applied at three levels:

  • Account-level default — applies to all prefixes unless overridden by a group-level rule
  • Per BGP group — overrides the account default for all prefixes in that BGP group
  • Per Anycast group — overrides the account default for all prefixes in that anycast group

This layered approach lets you set a sensible default for your account and then customize behavior for specific groups that have different traffic profiles or sensitivity requirements. Work with the NetActuate operations team to configure the right rule scope for your infrastructure.

Analytics

The DDoS Analytics view provides a summary of attack traffic across your infrastructure:

  • Total Traffic — aggregate attack traffic volume
  • Total Packets — total packets associated with detected attacks
  • IP Sources — number of unique source IP addresses involved in attacks

Attacks

The Attacks tab provides a historical log of all DDoS attacks detected against your prefixes. Each entry in the log links to a detailed attack report.

Attack Detail

Clicking an individual attack opens a detailed breakdown with the following metrics:

  • Total Traffic — aggregate volume of attack traffic
  • Peak Traffic — maximum traffic rate during the attack
  • Total Packets — packet count for the attack duration
  • Total IP Sources — number of unique source IPs involved

The detail page includes additional analysis panels, all measured in packets per second:

  • PPS by Protocol — breakdown of attack traffic by protocol (TCP, UDP, ICMP, other)
  • Top Source IPs by Protocol — the top 10 source IP addresses for each protocol
  • TCP Flags — distribution of TCP flag combinations in attack traffic
  • Top Countries — geographic origin of attack traffic
  • Top ASNs — autonomous systems originating the most attack traffic
  • Top Source Ports — most common source ports
  • Top Destination Ports — most targeted destination ports
  • Source IP/Port Pairs — specific source combinations generating the most traffic
  • Top Flows — highest-volume individual traffic flows

Best Practices

Use anycast for automatic geographic distribution

Anycast spreads traffic across multiple locations. During a DDoS attack, the traffic is distributed across all anycast locations rather than concentrated at a single point, reducing the per-location impact.

Layer your defenses

Combine network-level mitigation (DDoS rules on your groups) with host-level firewall rules and application-level rate limiting for comprehensive protection.

Review attack reports

After any mitigation event, review the attack detail page. The protocol breakdown, source ASNs, and top flows data help you understand the attack vector and inform future rule adjustments — share these findings with the NetActuate team when requesting rule changes.

Need Help?

Contact support@netactuate.com or open a support ticket from the portal.