April 3, 2024

Streamlining Cloud Diversion Route Policies for Enhanced Efficiency and Risk Mitigation with Nexusguard Off-Net

Organizations vested with the ownership or management of an Autonomous System (AS) can unlock significant advantages by harnessing Nexusguard Cloud Diversion. This powerful solution provides an all-encompassing shield for their entire IP subnet, ensuring comprehensive and robust protection. To delve deeper into the capabilities and benefits of Nexusguard Cloud Diversion, we invite you to explore our informative Cloud Diversion post. 

Defining the Optimal Route Policy

When faced with the task of mitigating volumetric DDoS attacks, it may be advantageous to embrace new paradigms that redefine network defense. Attacks of such nature are designed to cripple network availability by inundating bandwidth resources. With an unwavering commitment to innovation, we present Nexusguard Off-Net: a cloud diversion route policy that transforms volumetric DDoS attack mitigation. By strategically addressing three pivotal questions, a remarkable breakthrough awaits:

1. Should the under attack network be announced automatically or manually?

Determining the optimal method for announcing the under-attack network is a critical consideration when mitigating DDoS attacks. Each approach, whether manual or automatic, presents distinct advantages and disadvantages that merit careful evaluation.

(a) Manual Approach

Advantages: Manual verification prior to diversion allows for thorough assessment, ensuring decision-making accuracy. It provides a heightened level of safety in terms of making informed choices.

Disadvantages: Verification delays may occur, particularly during peak attack periods or when experienced engineer support is limited. There is also a potential for human error when configuring the route policy.

(b) Automatic Approach

Advantages: Swift response times and automatic announcement capabilities expedite the mitigation process. Pre-configured settings minimize the risk of human error, streamlining operations.

Disadvantages: The absence of verification raises concerns about potential false positives or negatives. In situations where circumstances change rapidly, the inability to adjust the route policy may limit adaptability.

By carefully considering these factors, organizations can determine the most suitable approach for announcing the under-attack network, striking a balance between promptness and accuracy in their DDoS mitigation strategy.

2. Should all networks be announced or only the under attack network?

When considering which networks to announce during DDoS attacks, it is vitally important to focus solely on the under-attack network. By selectively announcing this specific network, organizations can effectively segregate the malicious traffic from the rest of their infrastructure. This approach minimizes collateral damage by diverting the risk away from unaffected networks.

However, a pertinent question arises when dealing with a subnet within an aggregated network. In such cases, industry best practices recommend diverting traffic on a per /24 IP prefix basis. This approach aligns with the minimum routable IP block on the Internet and ensures that the under-attack subnet remains separate from the remaining networks within the aggregated block.

By adhering to these strategies, organizations can confidently mitigate DDoS attacks, safeguard their networks, and protect their critical assets against the perils of cyber threats.

3. How should the under attack network be announced?

Determining the optimal method for announcing the under-attack network requires careful consideration. To effectively announce the network, organizations are advised to adhere to the following key steps:

Peer with NXG (ASN45474) via eBGP: Utilize the Border Gateway Protocol (BGP) to announce the under-attack network to Nexusguard (ASN45474). This establishes the necessary communication path for traffic diversion and mitigation.

Announce as /24: Specifically announce the under-attack IP network with a /24 bit mask. This level of granularity allows for precise routing and ensures that the diverted traffic is accurately separated from other network segments.

Establish the return path: Construct a secure return path for the diverted traffic by utilizing a GRE (Generic Routing Encapsulation) tunnel or a smart tunnel. This ensures that the traffic is efficiently routed back to its intended destination.

Priority of specific /24 announcement: Give preference to the more specific /24 IP prefix announcement over the aggregated announcement for peacetime traffic. This prioritization ensures that traffic follows the appropriate path during normal operations.

Withdrawal of peacetime announcement: It is not necessary to withdraw the announcement for the aggregate network during an under-attack scenario. The focus should instead be on announcing the under-attack network specifically, allowing the peacetime announcement to remain intact.

Adhering to these guidelines allows organizations to effectively announce the under-attack network, optimize traffic diversion, and ensure the seamless continuity of their network operations.

In the battle against volumetric DDoS attacks, network administrators hold the key to establishing an unyielding defense. By delving into a few fundamental questions, they can lay the groundwork for a robust diversion policy, enabling effective mitigation of these destructive threats. This forward-thinking approach embraces proactive resource management, optimizing utilization and fortifying resilience in the ever-evolving realm of cyber threats.

Enhanced Security Made Easy using Nexusguard Off-Net Cloud Diversion Route Policy

Figure 1 - Guidance to Nexusguard Cloud Diversion Policy 

Let's consider the scenario of an Origin Protection (OP) client with IP network addresses in the range of During normal operations, the client's upstream providers receive an announcement of the /22 network via the client's own autonomous system number (ASN 123).

However, when the specific IP prefix comes under DDoS attack, the Cloud Diversion agent takes action. It announces the network to Nexusguard Cloud, which then transmits this announcement to the broader Internet. As the /24 network is more specific than the aggregated announcement for, all traffic destined for is intelligently diverted through Nexusguard's upstream providers, leading to the mitigation centers where attacks are neutralized. Importantly, the routing paths for the remaining IP prefixes, such as,, and, remain unchanged, and they continue to flow through the original peacetime routing path via the OP client's own upstream providers.

By implementing this approach, the under-attack network and the other networks traverse distinct Internet uplinks, ultimately converging at the desired destination. This segregation ensures that the impact of the attack is contained while maintaining the normal functioning of the remaining networks.

Advantages of Nexusguard Off-Net

Segregated Internet Uplinks

By ensuring that the peacetime and under-attack networks flow through different Internet uplinks, the Off-Net approach effectively minimizes collateral damage while preserving the network quality of the unaffected networks, resulting in reduced network latency, packet loss, and other performance metrics for the peacetime networks.

Automated Route Announcement

Through full automation, the route announcement process eliminates the requirement for manual adjustments to the peacetime network announcement. This automated approach not only drastically reduces the network team's involvement, mitigating the risk of human errors in route changes, but it also paves the way for a streamlined process that enhances operational efficiency and mitigates risks associated with manual intervention.

Rapid Traffic Diversion 

With Off-Net, traffic diversion occurs almost immediately, barring the BGP convergence time. By swiftly rerouting the under-attack traffic, the mitigation process commences promptly, minimizing the window of opportunity for damage to the network, and mitigating the impact of the attack in a timely manner.

By leveraging these benefits, organizations can successfully mitigate the impact of DDoS attacks, preserve network performance, and bolster operational resilience. The integration of segregated uplinks, automated route announcements, and rapid traffic diversion contributes to a proactive and robust defense against cyber threats.

Nexusguard Cloud Diversion is available to customers using our Origin Protection service. For further information, please read about Nexusguard’s Origin Protection.

Enhance the resilience against volumetric DDoS attacks using Nexusguard Off-Net, a comprehensive solution that leverages segregated Internet uplinks, automated route announcements, and rapid traffic diversion. This innovative strategy not only improves operational efficiency but also mitigates risks associated with manual intervention, ensuring unmatched safeguarding against cyber threats.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.