Deflect’s extensive network of caching servers is built to absorb and mitigate traffic inflicted by sustained DDoS attacks. There are, however, many scenarios in which it is more efficient to actively and accurately differentiate between legitimate and malicious requests in order to further reduce the load on the network.

Previously, Deflect had been using Fail2ban to perform detection and prevention duties. As a simple brute force prevention tool, Fail2ban cannot offer all the complex preventative tasks required by Deflect. We had planned to extend the tool’s capabilities but as the attacks grew in strength and complexity, the fundamental shortcomings of Fail2Ban became apparent so we decided to develop our own high-performance, integrated prevention system called Botnet Detection Banning and Prevention, or BotnetDBP for short.

BotnetDBP is comprised of the following core components:

  • Banjax
  • Swabber
  • Learn2ban
  • Botbanger

The tools are easily configurable by system administrators and provide extensive tuning capabilities for specific scenarios. As the project has been built entirely modularly it is also possible for the components to be used independently or integrate into new systems.