combahton Blog


Bleiben Sie über unsere Entwicklung auf dem Laufenden.


Go back

Building highly flexible DDoS-Filters

Since 2017, we’re running Version 2 of our inhouse built DDoS-Protection Appliance called „flowShield“. flowShield heavily relies on the netmap framework and uses multiple stages to clean incoming ddos traffic by static and dynamic filters.

Due to the rising need of flexibility, such as deploying own filtration rules, we had decided to start with the development of flowShield v3.

How does flowShield v3 compare to v2?

flowShield v2 is mostly static code, beside the fact it has capabilities to dynamically respond to attacks, e.g. by authenticating TCP SYN / SYN-ACK packets or identifieng spoofed UDP packets.

flowShield v3 extends it’s previous generation by several newly developed capabilities, such as:

  • Dynamic applicable rules
  • Regulary exported statistics

Dynamic applicable rules

flowShield v3 is capable of matching so called „flexrules“, which are fully blown packet matching filters. flexrules can be utilized to create rules like „Drop all UDP traffic for Destination IP 192.168.178.1“ or „Allow all TCP traffic from AS30823 (using GeoIP), but not more than 1000 packets per second“.

Possible match criteria are:

  • Source-IP
  • Destination-IP
  • Protocol (TCP/UDP/ICMP)
  • Source-Port
  • Destination-Port
  • GeoIP Country
  • GeoIP AS Number
  • Packet Payload (Regex)
  • Packet Size (from-to match)


Whereby, flowShield v3 allows to handle a packet with the following actions:

  • Accept packet
  • Discard packet
  • Ratelimit packet

We will make flexrules available within customer area and by API.

Regulary exported statistics

flowShield v3 ships a inbuilt statistics service, which regulary pushes statistical data such as a connection log towards a central analyzation application, which analyzes the received data encapsulated as udp packets. The newly developed service operates as additional thread, which allows a lockless, periodic export.

Statistical data can be used to provide insight such as accept/discard graphs or for example a DDoS Heatmap, representing top source regions for bad and clean traffic.


We’re looking forward to release flowShield v3 shortly, once all functionality is fully implemented and excessively tested.


© 2015-2020 combahton GmbH - Preise in Netto zzgl. 16% MwSt.