Protection Status
Is your IP prefix publicly announced?
Confirms your network is visible and reachable on the internet.
Is the prefix configured with your DDoS provider?
Verifies the prefix is onboarded and protected by your DDoS service.
Is traffic actually flowing through the DDoS network?
Ensures traffic is routed through mitigation, not directly to origin.
Is the origin ASN correct?
Checks that the prefix is advertised from the expected ASN.
Is the ROA valid and trusted?
Confirms routing authorization is in place to prevent hijacks.
Posture Exposing Risks
Risky prefix sizes (/24 and larger)
Smaller prefixes (/24 and larger) are easier to abuse and may bypass protections.
RPKI gaps or invalid routes
Missing or invalid RPKI allows unauthorized route announcements.
Origin ASN mismatches
Traffic may be coming from an unexpected or incorrect ASN.
Bogon IP space exposure
Non-routable or reserved IP space is being advertised.
Prefix advertised while bypassing DDoS protection
Traffic can reach the origin without passing through mitigation.
Mitigation Readiness
Real-time BGP routing status
Shows how traffic is actually being routed right now.
Whether the DDoS provider is in the actual AS path
Confirms mitigation is on the live traffic path.
Intent vs Reality
Highlights gaps between planned setup and actual routing.
Amplification Risk
CLDAP
Can be abused to amplify reflection-based DDoS attacks.
SSDP
Exposed devices may reflect large traffic volumes.
DNS
Open resolvers can be misused for traffic amplification.
NTP
Misconfigured servers can significantly magnify attacks.
UDP-based services
Stateless services are easier to spoof and amplify.
Publicly reachable amplifiers increasing attack scale
Open services can multiply attack traffic toward targets.