NSH​aRP Process

All networks are seeing a rise in malicious attacks with hackers from around the world seeking to penetrate or disrupt network services.  These attacks not only cause delays and affect users of the networks but can often be used by hackers to cloak more aggressive threats.  Of these Distributed Denial of Service (DDoS) attacks can be some of the most visible and hardest to counter but there are many different security threats that NRENs need to be able to identify and defend against.

GÉANT has implemented a range of functions and facilities to help support NRENs in identifying, tracking and mitigating against anomalous traffic patterns.

The NSHaRP process encompasses all the necessary tools for incident detection and response offering  a range of capabilities from detection and automatic alerting to mitigation and investigation, to quickly and effectively inform affected users and to manage the mitigation process.

NSHaRP extends the NRENs’ detection and mitigation capability across into the GÉANT network and to its borders with other networks, therefore enabling the attack to be mitigated before it transits the GÉANT network. This is a highly innovative and unique security service in that it caters for different requirements from each NREN, by enabling the customization of their NREN specific alerts in their hands.

NSHaRP capabilities

Detection and Alerting

Automated anomaly alerts  Interested NREN can subscribe to automated anomaly alerts to receive e-mail alerts when its infrastructure is affected by an event they classified as malicious. A ticket is automatically created with the GOC in pending auto-close state which automatically closes after 5 days if no response is received. NREN can request blocking, further investigation or monitoring of the event.


Firewall on Demand – NRENs with eduGAIN access can subscribe to FoD (Firewall on Demand) to allow themselves to propagate flowspec rules to GÉANT Project backbone network against their administrative IP space when a D(D)oS attack takes place. Alternatively, they can open a ticket with GOC to apply flowspec rules on their behalf.

Remote Trigger to Blackhole – All European NRENs can use BGP community 20965:0008 to advertise single IPv4 or IPv6 destination addresses from within their administrative IP space to GÉANT to discard any traffic on GÉANT borders in the case of a severe D(D)oS attack. Once again, alternatively, NREN can open a ticket with GOC to apply RTBH rules on behalf of the NREN.