With IRP v4.3, Noction introduces Automatic Anomaly Detection (AAD), a new capability designed to continuously analyze traffic behavior, detect deviations from normal patterns, and trigger automated mitigation actions when needed. This feature extends IRP’s role beyond traffic optimization into proactive network protection, tightly integrated with existing routing and control mechanisms.
Automatic Anomaly Detection is a behavior-based traffic analysis engine integrated into IRP 4.3. It continuously evaluates traffic patterns and identifies deviations from established baselines that are characteristic of attacks or operational anomalies.
Unlike traditional threshold-based detection, which relies on fixed values, AAD evaluates how traffic behaves over time. This allows IRP to detect anomalies that may not exceed absolute thresholds but still represent a significant deviation from normal behavior.
The primary objective of AAD is to preserve service availability by detecting and mitigating volumetric and protocol-level attacks before they impact critical infrastructure.
Automatic Anomaly Detection is implemented as a dedicated service within the IRP ecosystem, operating in close coordination with existing components.
At a high level, the process follows a continuous detection-to-mitigation loop:
This design keeps anomaly detection tightly coupled with routing control, eliminating delays caused by external handoffs.
AAD continuously analyzes the obtained flow records. These records provide visibility into packet rates, protocol distribution, port usage, and traffic concentration patterns.
Instead of comparing traffic against fixed thresholds, AAD builds adaptive baselines that reflect normal network behavior. Sudden deviations – such as spikes in packet rate, protocol abuse, or traffic amplification – are flagged as potential anomalies.
One of the challenges in anomaly detection systems is avoiding false positives. Overly aggressive detection can lead to unnecessary mitigations, while overly relaxed settings may miss real issues.
IRP’s Automatic Anomaly Detection is designed with configurable sensitivity and built-in stabilization logic. This allows operators to tailor detection behavior to their traffic profile while ensuring that short-lived fluctuations do not immediately trigger reactions.
By analyzing sustained deviations rather than momentary spikes, AAD balances responsiveness with operational safety – an approach commonly recommended in large-scale traffic analysis systems.
Modern IP networks operate at a scale where abnormal traffic patterns can emerge faster than operators can react. Sudden traffic spikes, protocol floods, or unexpected shifts in packet behavior may indicate misconfigurations, malfunctioning systems, or malicious DDoS activity. Detecting such anomalies early and responding to them consistently is critical to maintaining network stability.
With IRP v4.3, Noction introduces Automatic Anomaly Detection (AAD), a new capability designed to continuously analyze traffic behavior, detect deviations from normal patterns, and trigger automated mitigation actions when needed. This feature extends IRP’s role beyond traffic optimization into proactive network protection, tightly integrated with existing routing and control mechanisms.
Automatic Anomaly Detection is a behavior-based traffic analysis engine integrated into IRP 4.3. It continuously evaluates traffic patterns and identifies deviations from established baselines that are characteristic of attacks or operational anomalies.
Unlike traditional threshold-based detection, which relies on fixed values, AAD evaluates how traffic behaves over time. This allows IRP to detect anomalies that may not exceed absolute thresholds but still represent a significant deviation from normal behavior.
The primary objective of AAD is to preserve service availability by detecting and mitigating volumetric and protocol-level attacks before they impact critical infrastructure.
Automatic Anomaly Detection is implemented as a dedicated service within the IRP ecosystem, operating in close coordination with existing components.
At a high level, the process follows a continuous detection-to-mitigation loop:
This design keeps anomaly detection tightly coupled with routing control, eliminating delays caused by external handoffs.
AAD continuously analyzes the obtained flow records. These records provide visibility into packet rates, protocol distribution, port usage, and traffic concentration patterns.
Instead of comparing traffic against fixed thresholds, AAD builds adaptive baselines that reflect normal network behavior. Sudden deviations – such as spikes in packet rate, protocol abuse, or traffic amplification – are flagged as potential anomalies.
One of the challenges in anomaly detection systems is avoiding false positives. Overly aggressive detection can lead to unnecessary mitigations, while overly relaxed settings may miss real issues.
IRP’s Automatic Anomaly Detection is designed with configurable sensitivity and built-in stabilization logic. This allows operators to tailor detection behavior to their traffic profile while ensuring that short-lived fluctuations do not immediately trigger reactions.
By analyzing sustained deviations rather than momentary spikes, AAD balances responsiveness with operational safety – an approach commonly recommended in large-scale traffic analysis systems.
Automatic Anomaly Detection in IRP 4.3 is capable of identifying a wide range of attack patterns commonly observed at the network edge.
These include volumetric amplification attacks targeting open services such as DNS and NTP, where small queries generate disproportionately large responses that overwhelm the victim.
Protocol-level floods are also detected, including UDP floods, TCP SYN floods that exploit handshake state, and ACK floods designed to overload stateful devices.
At the application layer, AAD can identify HTTP and HTTPS floods that mimic legitimate client behavior but exhaust server or network resources.
Infrastructure-focused attacks such as SSH floods and ICMP-based amplification (including Smurf-style attacks) are also within detection scope.
Automatic Anomaly Detection is designed to recognize behavioral signatures of attacks rather than relying on static thresholds. This allows IRP to respond effectively to a broad spectrum of threats that manifest differently at the traffic level.
Volumetric floods attempt to overwhelm links and forwarding capacity through sustained packet or bandwidth surges. AAD detects these attacks by identifying sharp, persistent deviations in packet rate or traffic volume relative to historical baselines. Once confirmed, IRP can suppress malicious traffic upstream using routing-based filtering or traffic isolation.
Amplification attacks exploit third-party services to generate disproportionate traffic toward a victim. AAD identifies these attacks by observing asymmetric traffic patterns, protocol concentration on known amplification vectors, and sudden inbound traffic growth without corresponding outbound requests. Mitigation is applied using FlowSpec to drop attack traffic while selectively preserving legitimate flows.
State-exhaustion attacks target connection tables and control-plane resources rather than raw bandwidth. AAD detects SYN floods through abnormal TCP flag distributions and incomplete handshake patterns, while ACK floods are identified by unsolicited acknowledgment traffic inconsistent with established sessions. Accurate flow telemetry enables IRP to apply targeted mitigation before downstream devices are impacted.
UDP-based attacks generate large volumes of stateless traffic toward specific ports or services. AAD detects abnormal protocol distribution and packet rate spikes, allowing IRP to filter or limit malicious traffic using granular routing rules.
HTTP and HTTPS floods aim to exhaust server or backend resources while appearing legitimate. AAD detects these attacks by identifying abnormal session initiation rates, traffic concentration toward specific destinations, and deviations from normal application behavior. Routing-level mitigation reduces load on the application infrastructure and limits the attack impact.
Services such as SSH and ICMP are common attack targets. AAD detects abnormal connection attempts or protocol misuse and suppresses malicious traffic before it reaches sensitive infrastructure components.
Across all attack types, the key advantage of AAD is its behavior-based detection model, which remains effective even as attack techniques evolve.
Detection without response provides limited protection. Once an anomaly is confirmed, IRP executes mitigation using industry-standard BGP mechanisms, ensuring compatibility with existing routing infrastructure.
IRP supports both operator-assisted and fully automated operating modes.
In moderated mode, IRP generates a recommended mitigation action and presents it in the Global Management Interface for operator approval. In automated mode, mitigation is applied immediately once detection criteria are met, providing the fastest possible response to volumetric threats.
Mitigation actions leverage established BGP techniques such as Remote Triggered Blackholing and BGP Flow Specification.
FlowSpec-based mitigation allows for highly granular filtering, enabling IRP to drop only the malicious traffic while allowing legitimate traffic to continue flowing.
Accurate detection depends on high-quality telemetry. For precise identification of certain attack types – particularly TCP SYN and ACK floods – IRP benefits from flow records that include TCP flags.
This additional visibility allows the detection engine to differentiate between normal connection behavior and state-exhaustion attacks with a high degree of accuracy.
AAD also maintains historical records of detected anomalies and applied mitigations, allowing operators to analyze attack trends over time and refine detection strategies.
By mitigating attacks at the edge, IRP reduces the risk of control-plane overload and downstream congestion. Granular filtering minimizes collateral damage, preserving legitimate traffic even during active mitigation.
Automation significantly reduces reaction time and operational overhead, allowing engineers to focus on strategic network management rather than emergency response.
Most importantly, AAD integrates seamlessly into IRP’s routing control framework, ensuring that mitigation actions are consistent with existing policies and safeguards.
Automatic Anomaly Detection in IRP 4.3 represents a significant evolution in edge protection for multi-homed BGP networks. By combining passive traffic behavior analysis with automated, routing-native mitigation, IRP provides service providers with a scalable and resilient defense against modern volumetric and protocol-level threats.
Rather than treating security as an external add-on, IRP embeds detection and response directly into the routing control plane – where it can react fastest and with the greatest precision.
As threat volume and sophistication continue to grow, this integration of anomaly detection and routing automation becomes a critical capability for operating stable, high-performance networks.
For additional details on the Intelligent Routing Platform capabilities, visit the IRP product page or consult the technical documentation
By mitigating attacks at the edge, IRP reduces the risk of control-plane overload and downstream congestion. Granular filtering minimizes collateral damage, preserving legitimate traffic even during active mitigation.
Automation significantly reduces reaction time and operational overhead, allowing engineers to focus on strategic network management rather than emergency response.
Most importantly, AAD integrates seamlessly into IRP’s routing control framework, ensuring that mitigation actions are consistent with existing policies and safeguards.
Automatic Anomaly Detection in IRP 4.3 represents a significant evolution in edge protection for multi-homed BGP networks. By combining passive traffic behavior analysis with automated, routing-native mitigation, IRP provides service providers with a scalable and resilient defense against modern volumetric and protocol-level threats.
Rather than treating security as an external add-on, IRP embeds detection and response directly into the routing control plane – where it can react fastest and with the greatest precision.
As threat volume and sophistication continue to grow, this integration of anomaly detection and routing automation becomes a critical capability for operating stable, high-performance networks.
For additional details on the Intelligent Routing Platform capabilities, visit the IRP product page or consult the technical documentation.