Anti-DDoS solution

Our anti-DDoS solution consists of a number of parts, aimed at real-time monitoring and protection via mitigation.

Mitigation – also referred to as the carwash method – uses a number of filters that separate the regular traffic from the traffic originating from botnets and hijacked browsers. This is achieved by comparing the signatures, and by thoroughly examining the various parts of the traffic such as IP addresses, cookie variations, HTTP headers and JavaScript footprints.

Our solution is different from the approaches used by others. This is because it is positioned in-line, whereby all traffic passes through the filters. So, what’s the biggest advantage for you? DDoS attacks are detected more quickly, and the traffic never has to be re-routed to other – unknown – servers.

Nucleus - DDoS

Threat Defense

Threat Defence blocks a very wide range of DDoS attacks without endangering the connectivity of ‘friendly’ traffic. It has been designed to detect both a large amount of network attacks (on layers 3 and 4) as well as reflective amplified spoof attacks. Threat Defence can even find application layer attacks (on layer 7), which often are too small to detect with other solutions.

Network Forensics

DDoS attacks evolve continuously. The protection against them must evolve accordingly. The discovery of new types of attacks is the only way to endure full control. Network Forensics provides remains vigilant 24/7, and supports 10 Gbps rate Packet Capture. So, security incidents are examined better and faster.

Network Bypass

The availability of your network is the key to your presence on the Internet. Thanks to the Network Bypass functionality, you avoid downtimes during maintenance or possible electric infrastructure failures.


Type of DDoS attackOur solution protects against
Volumetric DDoS attacks
  • TCP flood attacks
  • HTTP GET/POST floods
  • UDP flood attacks
  • UDP fragmentation attacks
  • ICMP floods
Reflective DDoS attacks
  • NTP Monlist Response Amplification
  • SSDP/UPnP Responses
  • SNMP Inbound Responses
  • Chargen Responses
  • Smurf Attack
  • Fraggle Attack DNS
  • DNS Amplification
Resource Exhaustion DDoS attacks
  • Malformed and Truncated Packets (e.g. UDP Bombs)
  • IP Fragmentation/Segmentation AETs
  • Invalid TCP Segment IDs
  • Bad checksums and illegal flags in TCP/UDP frames
  • Invalid TCP/UDP port numbers
  • Use of reserved IP addresses
  • Slow HTTP requests (from tools like Slowloris, RUDY, Slowread)
Other DDoS attacks
  • Command and Control Operations
  • Tunnel Inspection (GRE, MPLS etc.)
    • GRE, MPLS etc.
  • NTP Monlist Requests
  • Whitelisting
  • Known malicious IP Addresses (botnets, scanners, anonymization services, phishing sites, spammers)
  • Customized Protection with
    • IP Reputation and Geolocation Policies
    • Blacklisting of IP Addresses
    • Port address range filters (provides protection for generic TCP/UDP port based
    • Rate Limiting Policies
  • Flex-Rule – Programmable filters based on the Berkley Packet Format (BPF) syntax.  These can be programmed to address a variety of attack categories volumetric, reflective through to attacks leveraging specific payloads (Teamspeak, RIPv1, netbios).
  • Smart-Rule – Heuristics based engine leverages heuristics and behavioral analysis to track and rate limit L1-L4 attacks

Nucleus - Uptime as a Service

Our strengths

  • High-quality solutions
  • Valuable tailor-made advice
  • Fierce and transparent guarantees
  • An ISO 27001 certification for data security
  • Years of experience in the field of hosting
  • All servers are hosted in Belgium
  • An independent, financially healthy and growing company
  • Transparent, honest and proactive communication