Starflare Security Stack

Mitigation Infrastructure & Security Framework

Starflare utilizes a highly resilient global Anycast network combined with custom eBPF/XDP data paths to process and neutralize volumetric and application-layer threats before they impact your hosted environment.

Anycast Edge Infrastructure

Unlike standard unicast setups where traffic is routed to a single point of failure, Starflare distributes global traffic requests among dozens of distributed scrubbing nodes. By using BGP Anycast routing protocols, incoming packets are processed at the nearest geographical point of presence (PoP).

Mitigation Capacity

Up to 388 Tbps

Global link saturation buffer engineered to absorb modern volumetric attacks.

Processing Delay

< 1ms latency

Hardware accelerated state inspection ensures traffic is cleaned with minimal routing overhead.

Anycast PoPs

35+ Hubs

Geographically optimized hubs covering SEA, APAC, Europe, and the Americas.

Magic Transit & BGP Session Integration

Through our custom deployment of Magic Transit protocols, we advertise your IP prefixes via Border Gateway Protocol (BGP) from our network edge. All IP traffic targeted toward your subnet is dynamically ingested into our global filtering network.

For enterprise users, BGP session establishment is available directly at our local switches. When a volume surge is detected, our routers execute automated prefix dampening and BGP FlowSpec rules to drop amplification attacks directly at parent carrier upstream links.

BGP Flowspec active_rules.conf Active Routing Daemon

flowspec {

route-filter 198.51.100.0/24 {

match destination 198.51.100.12/32;

match protocol udp;

match destination-port [ 1194 19132 ];

then traffic-rate-limit 0; // Drops volumetric reflection payloads instantly

}

}

Layer 3 & 4 Scrubbing Engines

Most standard attacks rely on low-level protocol exploits like TCP SYN floods, UDP amplification, and ICMP saturations. Our hardware-embedded stateless and stateful engines inspect all protocol flags directly at the interface line card to ensure transport standard validation.

Syn-Flood Validation

Intercepts TCP SYN frames using stateless cookie hashing strategies, validating the sender through standard challenge requests before issuing connections to physical compute instances.

UDP Amplification Shielding

Detects NTP, DNS, Memcached, and SSDP reflection source signatures. Packets violating expected payload lengths or using unrecognized protocol fields are instantly discarded.

Deep Packet Inspection (DPI) & Layer 7

Application layer attacks simulate actual customer behaviors to consume precious application resources. Starflare leverages advanced Deep Packet Inspection (DPI) powered by eBPF (Extended Berkeley Packet Filter) technology embedded deep within our kernel pathways to decode and audit payload fingerprints.

How we achieve Layer 7 security without latency penalty:

  • No Userspace Context-Switching: DPI evaluations execute inside isolated kernel memory loops. Zero buffer copies between kernel and userspace modules means high throughput stability.
  • Custom Regular Expressions matching: Rapidly decodes HTTP Headers, Query Parameters, URI requests, and raw TCP payload fragments in single-digit microseconds.
  • Adaptive Rate Limiting: Tracks individual client connection state machines using highly parallelized eBPF Maps, isolating suspicious devices while maintaining normal parameters for other users.

Custom Game Protocol Filters

Traditional firewalls often drop real-time UDP gaming traffic thinking it is a random flood. Starflare features tailored profile heuristics to decode actual game logic headers, ensuring low latencies for your players.

Minecraft Java & Bedrock Active

Validates Minecraft handshakes, ping requests, and packet payload structure limits. Drops malicious bot joins and exploits before they reach the game instance.

FiveM / GTA V Multi Active

Interprets and shields internal FiveM connection handshakes, heartbeat packets, and client query formats.

Rust & RakNet Active

Decodes custom state parameters in RakNet framing to suppress fragmentation amplification patterns targeting game server slots.

Source Engine Query Shield Active

Protects classic games utilizing HL2/CS:GO interfaces. Strictly manages A2S_INFO query loads to filter malicious connection requests.

Interactive Firewall Rules Engine

Control how traffic is screened. Below is a simulation representing how firewall presets act on real-time payload packets in our edge network:

Configure Firewall Presets

Live Traffic Monitor
Telemetry: SEC-NODE-03

{{ log.time }} - {{ log.msg }}

Incoming Loads
{{ throughputRate }} Mbps
Dropped Packets
{{ droppedCount }} / sec

Technical FAQ

How fast does the network automatically mitigate an attack?

Mitigation is dynamic. L3/L4 filtering rules activate instantly at our edge layer once traffic metrics cross custom defined standard deviation bounds (typically completed in under 1 second). No manual engineer response is needed.

Can I configure custom rules or whitelist specific API servers?

Yes. Through the Client Portal, users can configure persistent IP and Port level rules, enable or disable protocol filters, and declare explicit CIDR block exemptions to bypass filtering thresholds completely.

Does Starflare support BGP session connections for Dedicated Bare Metal instances?

Yes. Enterprise and Dedicated server deployments support BGP sessions. We allow custom prefix advertising and support custom upstream community parameters for dynamic load management.