Client Area
Votion Edge Simulation Node
SecurityDDoSLunarShield

LunarShield v4: Mitigating Multi-Terabit DDoS Attacks at the Edge

A
ASWANTH S
SYSTEM CONTRIBUTOR
5 min read

Volumetric attacks are no longer simple floods of TCP SYN packets. Modern threat landscapes are dominated by distributed, multi-vector botnets capable of launching application-layer HTTP attacks combined with custom UDP reflection payloads.

In this deep dive, we break down LunarShield v4, the proprietary traffic scrubbing pipeline that sits in front of all Votion Cloud deployments.


The Threat Landscape: Volumetric vs. Application Layer

DDoS attacks generally fall into two categories:

  1. Volumetric Attacks: UDP/ICMP floods designed to saturate physical transit ports. Typical volumes range from 500Gbps to over 2.5Tbps.
  2. State-Exhaustion & Application (L7) Attacks: Sneaky HTTP/S request floods targeting specific API routes to deplete database connection pools or CPU cycles.

Traditional cloud setups scrub traffic by routing it to external security scrubbing centers, adding 50ms to 120ms of routing latency. LunarShield eliminates this penalty by scrubbing traffic directly at our edge servers.


Edge scrubbing via eBPF and SmartNICs

LunarShield runs directly on our edge routers’ SmartNICs using customized eBPF bytecode. When a volumetric attack is detected, the mitigation rule is compiled into machine instructions and loaded into the network card’s processing unit.

graph LR
    Internet[Public Internet] --> Edge[Edge Switch]
    Edge --> SmartNIC["SmartNIC (LunarShield Engine)"]
    SmartNIC -->|Malicious: Drop| Blackhole[Null Route]
    SmartNIC -->|Clean Packet: 0ns latency| Core[Compute Core]

By pushing packet filtering to the SmartNIC layer:

  • We can drop up to 100 million packets per second per server without waking up the main CPU cores.
  • Mitigation rules activate in under 1.2 milliseconds from initial threat signature detection.
  • End-user services remain online, completely unaware of the threat vector.

Zero-Day WAF Engine

For Layer 7 HTTP attacks, LunarShield utilizes a lightning-fast Rust-based Web Application Firewall (WAF). It performs real-time pattern matching on HTTP request headers, query strings, and payloads using optimized regex engines.

Because the WAF compiles rules into native code, processing overhead is limited to 0.08 milliseconds per request, ensuring your API remains blazing fast even under active mitigation.