IVD-N is an architecture for network availability. It looks for coordinated traffic patterns earlier in the path and reduces related hostile activity into one grouped attack object for policy review, rather than treating each attacking source as the unit of defense.
IVD-N is designed to block or rate-limit coordinated malicious traffic before it overwhelms the edge.
IVD-N observes coordinated traffic behavior, turns related traffic into limited policy decisions, and supports filtering earlier in the path where policy and router support allow it.
In plain English, IVD-N creates a compact traffic fingerprint, called a Psi-vector, and groups related hostile behavior into one grouped attack object, called a macro-object. That object can then drive monitor, rate-limit, drop, or withdraw decisions.
Related streams are reduced to one limited decision so the defender does not have to track every source one by one.
The architecture is aimed at carriers, network operators, critical-infrastructure environments, and evaluators studying whether service-preserving coordination can reduce the cost of high-volume malicious traffic.
Scrubbing, inspection, and classifier-heavy approaches often engage after hostile traffic has already formed as a service-impacting object. That keeps cost and recovery burden tied to attack volume.
IVD-N models coordinated malicious traffic as one grouped attack object, or macro-object, with stable behavioral features even when source addresses and superficial indicators change.
The architecture emphasizes limited, auditable decision state rather than endless source enumeration. That shift is essential to improving defensive cost scaling.
Once pattern confidence is established, policy and FlowSpec coordination can support suppression in the routing fabric before traffic reaches the protected service. The objective is to act before service collapse, not merely to recover afterward.
Identity-aware exception handling helps preserve legitimate service behavior, maintenance paths, and operational continuity while adverse patterns are constrained. Relief paths are part of the design so mitigation can stay limited without becoming blind to legitimate traffic.
SIL relief governance was exercised in staged IVD-N validation. A valid signed relief request was accepted within policy, an invalid signature was rejected, and cleanup confirmed no router state was changed.
SIL does not put identity into BGP. SIL informs the Policy Engine, which may then adjust router-enforceable rules within operator policy.
These results support controlled-scope SIL governance claims. They do not claim universal preservation of all legitimate production traffic or live production router mutation.
Limited state, explicit and repeatable rule installation and withdrawal after policy evaluation, and a documented mitigation path create an auditable evaluation posture suitable for structured review. The current claim is controlled-environment validation evidence supporting a TRL-6-style posture within tested scope, not production deployment accreditation.
IVD-N is designed for distributed volumetric traffic patterns, coordinated multi-source behavior, DDoS-style concentration risk, earlier filtering or rate-limiting scenarios, rule lifecycle testing, router-policy safety evaluation, and service-continuity or collateral-damage reduction.
In practical terms, that means observing traffic behavior, creating a compact traffic fingerprint, grouping related abnormal behavior, issuing a limited policy decision, sending a router filtering rule, and then logging and withdrawing that rule when conditions normalize.
Where IVD-N sits
IVD-N does not replace a firewall, scrubbing service, WAF, SIEM, or SOC. It sits where traffic behavior can be observed, grouped, converted into limited policy decisions, and translated into router-enforceable rules where supported.
Telemetry may come from controlled test traffic, PCAP or test harnesses, or operational telemetry sources such as NetFlow, IPFIX, sFlow, or packet and header metadata, depending on deployment.
Broader suppression across providers depends on operator participation, routing policy, and FlowSpec acceptance. IVD does not assume third-party carriers will automatically accept externally originated filtering rules.
Example: from traffic pattern to router rule
- A distributed traffic pattern appears in a controlled test or monitored edge environment.
- The edge sensor creates a compact traffic fingerprint from observable packet, header, and timing behavior.
- Related abnormal behavior is grouped into one limited attack object.
- The Policy Engine chooses monitor, rate-limit, drop, or withdraw.
- The FlowSpec Controller emits a FlowSpec-compatible router filtering rule where supported.
- The rule is logged, time-limited, and withdrawn when conditions normalize.
- Evidence records are retained for review.
This is a representative controlled-environment trace, not a claim of carrier-scale production validation.
What the network-side testing shows.
IVD-N is the network-control side of IVD. It is designed to recognize the shared pattern of a distributed attack, collapse that behavior into one compact attack object, and drive limited router mitigation rules where authorized.
A macro-object means one compact representation of a distributed attack. FlowSpec means a standard BGP mechanism for sending traffic-filtering rules to routers. Controlled TRL-6 lab scope means tested in a realistic lab environment, not yet production.
Run 16 - macro-object persistence and supporting telemetry
Run 16 recorded 120/120 macro-object windows over approximately 60 seconds in controlled TRL-6 lab scope. Confidence telemetry included minimum 0.8220, median 0.99685, and maximum 0.9999. A mean statistical delta of approximately 0.005692 was also recorded as supporting cross-sensor coherence telemetry.
These figures are supporting lab telemetry, not standalone production or independently validated performance guarantees.
IVD-N controlled evidence summary
| Evidence area | Public-safe statistic | Plain-English meaning | Boundary |
|---|---|---|---|
| Run 16 macro-object persistence | 120/120 windows | The system kept producing the attack object throughout the recorded run. | Controlled lab scope. |
| Run 16 confidence telemetry | median 0.99685 | Supporting confidence data was high in that run. | Supporting telemetry, not certified reliability. |
| Run 05 event-to-rule push | 116.86 ms | Time from macro-object event to rule_pushed. | Not full mitigation time. |
| March Phase 2 | 3/3 T0 detected; 0/0/0 BGP flaps | Repeatable detection and no observed route flaps in that logged test set. | Logged-only TRL-6 mode. |
| March routing stress | P2000/P5000/P10000 convergence 1s; withdrawal 1s | Routing-stress convergence and withdrawal behavior. | Not DDoS mitigation speed. |
Virtual-router FlowSpec lifecycle evidence
| Router environment | Public-safe statistic | Plain-English meaning | Boundary |
|---|---|---|---|
| Arista cEOS | 60 -> 0 -> 60 SYN-style packet-count result | Matching SYN-style traffic appeared, was suppressed while the rule was active, and returned after withdrawal. | Disposable virtual cEOS lab. |
| Arista D5-R | 3/3 repeatability PASS | Three disposable cEOS lifecycle runs repeated successfully. | Virtual-router scope. |
| Cisco C8-K6 | 200/200 -> 200/0 -> 200/200 | Source/victim SYN-style counts showed suppression and restoration in Cisco CML. | Cisco CML raw-socket SYN/SYN-style scope. |
| Juniper J3F-R25-Retry | TCP/443 5/5 blocked; TCP/80 and ICMP preserved; TCP/443 restored RC=0 | Matching traffic was suppressed, nonmatching traffic was preserved, and matching traffic was restored. | vJunos virtual-router scope. |
| Juniper A2 | counter 0 -> 15 packets | Packet counter observation in a qualifying-unicast lifecycle test. | Qualifying-unicast; not SYN-specific. |
Cisco, Juniper, and Arista results are controlled virtual-router evidence. They do not establish production, physical-router, carrier, independent, or TRL-7 validation.
Distributed collection of protocol and flow signals relevant to anomaly formation.
Regional aggregation and invariant extraction for cross-source behavioral coherence.
Cross-region grouped-traffic correlation and suppression decision preparation within a coordination concept.
Limited mitigation logic, exception handling, and operator-governed thresholds.
Routing-fabric enforcement and withdrawal coordination.
Identity-aware relief paths for protected services and approved traffic.
Conventional downstream controls are still useful, but they tend to engage after traffic has already become expensive to absorb. IVD-N shifts the question earlier: can coordinated malicious traffic be represented as one limited object and acted on before the victim edge collapses?
That is why the architecture emphasizes header-derived and statistical behavior, cross-source coherence, and explicit mitigation boundaries. It is not presented as a deep packet inspection platform and it does not claim to replace downstream defenses, remediation, or normal operational resilience work.
Cross-AS mitigation depends on operator participation, policy acceptance, and router support. Single-domain deployment can still provide value by tightening local observation, rule handling, and evidence collection even when broader coordination is not available.
Relevant exploit scenarios are collected in the Exploit / Remedy Card Library, especially the network-device, covert relay, and edge-infrastructure cases.
Boundaries and non-claims
- It does not replace downstream DDoS protection, scrubbing, WAF, firewall, EDR, SIEM, or SOC workflows.
- It does not inspect payload content.
- It does not claim to detect every application-layer attack.
- It does not claim production deployment or carrier-scale validation.
- It does not assume third-party carriers will automatically accept FlowSpec rules.
- It does not claim to prevent named public incidents.
- It does not eliminate the need for operator policy, route controls, and rule-limit governance.
- It does not make router TCAM or platform rule limits disappear.
In boundary terms, IVD-N complements existing downstream defenses. It is meant to reduce the burden of converged attack traffic, not to claim that every network problem can or should be solved exclusively in the routing fabric. FlowSpec and router rule limits are real operating constraints and must be governed in any pilot or evaluation design. The broader threat-model framing is on the Technology page.