Now Available — Open Source

AutomatedAutomated
DDoS MitigationDDoS Mitigation

A BGP FlowSpec policy daemon that bridges the gap between attack detection and router enforcement. Built in Rust.

View on GitHubGet Started
$docker compose up -d

Bridge the gap between
detection and enforcement

You have detectors that know when you're under attack. You have routers that can filter at line rate. prefixd connects them.

Detector → Router
Without

Manual CLI or fragile scripts

With prefixd

Automated policy engine

Response time
Without

Minutes (operator intervention)

With prefixd

Seconds (API-driven)

Safety
Without

Easy to fat-finger, no guardrails

With prefixd

Quotas, safelist, /32-only, TTLs

Visibility
Without

Scattered logs, no audit trail

With prefixd

Dashboard, metrics, audit log

Expiry
Without

Forget to remove rules

With prefixd

Auto-expire via TTL

Key idea: Detectors signal intent, prefixd decides policy. No detector ever speaks BGP directly.

How it works

From detection to mitigation in seconds, not minutes

DetectorFastNetMon, Kentik, etc.
prefixdPolicy Engine
GoBGPRoute Server
RoutersLine-rate filtering

Policy Engine

YAML playbooks define per-vector responses with police or discard actions

Guardrails

Quotas, safelist, /32-only enforcement, mandatory TTLs for safety

Reconciliation

Auto-expires mitigations, repairs RIB drift, fail-open design

Attack Detected

High-volume traffic from multiple sources

Mitigation Applied

FlowSpec rules deployed to edge routers

Features

Everything you need for production DDoS mitigation

Signal Ingestion

HTTP API accepts attack events from any detector

Policy Engine

YAML playbooks define per-vector responses

Guardrails

Quotas, safelist, /32-only enforcement

BGP FlowSpec

Announces via GoBGP with traffic-rate & discard

Reconciliation

Auto-expires mitigations, repairs RIB drift

Dashboard

Real-time web UI with WebSocket updates

Authentication

Three roles: admin, operator, viewer

Observability

Prometheus metrics, structured logs, audit trail

Supported Routers

Juniper
MX, PTX, SRX
Arista
7xxx (EOS 4.20+)
Cisco
ASR 9000, NCS (IOS-XR)
Nokia
SR OS 19.x+
Language
Rust 1.85+
Memory safe & fast
Protocol
BGP FlowSpec
RFC 5575 compliant
License
MIT
Open Source
Quick Start

Get started in under a minute

Four steps to production-ready DDoS mitigation

1

Clone and configure

git clone https://github.com/lance0/prefixd.git
cd prefixd
cp .env.example .env
2

Start the stack

docker compose up -d
3

Create admin account

docker compose exec prefixd prefixdctl operators create \
  --username admin --role admin
4

Open the dashboard

open http://localhost:3000

Running services

ServicePurposePorts
prefixdPolicy daemon8080, 9090
dashboardWeb UI3000
gobgpBGP route server179, 50051
postgresState storage5432

Ready to protect your network?

View Documentation