In a recent live demonstration, network architect Dirk Kalkman and his team showcased an impressive Distributed Denial of Service (DDoS) mitigation solution (what they refer to as anti-DDoS), leveraging the advanced Nokia FP5 network processor and Deepfield Defender software. The live demo took place within a production network environment at NL-ix, the largest distributed exchange in Europe.

Meet the experts

Dirk Kalkman, network architect at NL-ix, leading the network evolution focused on cutting-edge security solutions.

Tristan, IT architect from Nikhef,  the Dutch National Subatomic Physics Institute, a specialist managing large-scale network traffic for scientific experiments, with a deep expertise in packet-level infrastructure.

The challenge: Combating DDoS attacks in real time

DDoS attacks inundate networks with malicious traffic, overwhelming infrastructure and causing outages. The key to successful mitigation is distinguishing legitimate traffic from attack packets — with precision and speed — without disrupting normal operations.

Dirk explains:
"You need to allow legitimate flows while blocking harmful traffic flooding your link, requiring granular filtering supported by a powerful processor capable of handling hundreds of thousands of access list entries."

The Nokia DDoS solution: FP5 silicon and Deepfield Defender

Initially, NL-ix deployed Nokia FP5-based routers across their network for speed, scalability and performance. However, NL-ix now also uses the Nokia routing technology for network security. The combination of the Nokia FP5 network processor and Deepfield Defender software creates a “perfect marriage.” The Nokia FP5 chip efficiently blocks traffic by using access control list (ACL) entries in hardware for IP filtering, while Deepfield Defender’s AI and machine learning algorithms detect DDoS attack patterns quickly and accurately, and dynamically orchestrate mitigation by managing IP filters to be applied.

This approach automates what would otherwise be a monumental task — manually detecting and redirecting malicious traffic flows, which is costly, inefficient, and service-impacting. 

The team launched a real DDoS attack against the test network “Decco,” which normally carries about 1 Gbps of legitimate VPN traffic. The attack randomized every packet field to simulate complex DDoS traffic.

Within seconds:

• Deepfield Defender quickly detected the anomaly and installed 283 filters (ACL entries) inline at the ingress port.
• Malicious packets were dropped before reaching customers.
• Legitimate traffic continued to flow uninterrupted.
• Hardware acceleration ensured zero added latency or packet recirculation.
• IP filters were dynamically removed as traffic normalized.

Key benefits highlighted

• Inline mitigation: Unlike traditional methods relying on traffic rerouting or scrubbing centers, this solution integrates seamlessly with existing infrastructure.
• Massive scale: Supports up to 800 Gbps customer ports and currently 50 Tbps total exchange connected capacity.
• Full automation: Uses intelligent databases and automated logic—no manual tuning needed.
• Proven resilience: Tested in production for nearly 3 years and in red team exercises, including controlled tests against critical infrastructure targets under government-sanctioned “attack licenses.”

Behind the scenes: Deployment and operation

The infrastructure behind the scenes was easy to deploy. Two on-premise Deepfield servers host Deepfield Defender, a software application that analyzes network telemetry data, including sampled mirrored packets of IP traffic (1 in 10,000 packets). Defender is updated hourly with the latest information from Deepfield Secure Genome® - a live “security map of the internet,” to stay ahead of new botnets and attack variants. The Nokia FP5-based IP routing infrastructure that was already in place provided the network-based mitigation.

This pilot demo marks a significant milestone with production-ready Layer 2 mitigation of DDoS. 

Final thoughts

The deployment of Nokia Deepfield Defender with the Nokia FP5-based IP routers showcases how intelligent software, paired with specialized hardware, accelerates real-time, large-scale DDoS mitigation. This powerful combo empowers carriers and exchanges to protect customers proactively, minimizing operational overhead and maintaining seamless network performance.

Learn more

• Deepfield Defender: https://www.nokia.com/ip-networks/deepfield/defender/

• DDoS security: https://www.nokia.com/ip-networks/ddos-security/