We are excited to announce this new release of nScrub, 1.6, packed with new features, expanded hardware support, and key enhancements to strengthen network defense capabilities.
This release adds native support for NVIDIA/Mellanox ConnectX adapters, and extends support for Napatech adapters by enabling the TX offload support, which optimizes packet transmission performance and reduces CPU overhead. We also implemented native support for DPDK, making nScrub open to deployments where the users are widely using this SDK.
We’ve also improved the detection and scrubbing algorithms, including additional checks on TCP packet headers, ensuring better protection against malformed packets and potential attacks. It is now possible to enable per-target thresholds, allowing for granular control of mitigation engagement based on individual targets, while maintaining a global threshold for overarching protection. Enhancements to the auto-engage mechanism result in more intelligent and efficient mitigation activation, ensuring prompt responses to anomalies.
Also che APIs have been improved. Importing large blacklists is now significantly faster, improving system readiness and scalability for environments with extensive blocklists.
The new features and improvements in nScrub make it a must-have upgrade, we encourage all users to upgrade to 1.6. Please read the changelog below for the full list of changes and improvements.
Enjoy!
Changelog
Engine
- Add native NVIDIA/Mellanox ConnectX adapters support
- Add support for TX offload with Napatech adapters
- Add DPDK support (v.20 or later)
- Add IPsec basic policies control
- Add more safety checks on TCP packet headers
- Add check on max MSS
- Add per target threshold (global threshold to engage the mitigation)
- Improve SYN and SYN-ACK rate check (e.g. also check white traffic)
- Improve RFC (more permissive) when always enabled
- Improve auto-engage checks
- Improve blacklist loading to speedup import of huge lists
- Improve hardware bypass support
- Improve watchdog management
- Detect hardware bypass engage (e.g. due to watchdog) and trigger events
- Fix false positives engaging the watchdog and reduce watchdog sensitivity
- Check for blacklisted destinations on egress traffic
- Historical data (RRD) improvements and fixes
- Fix folder creation with the right user
- Fix egress monitor queue selection with legacy PF_RING API (e.g. NVIDIA/Mellanox)
- Fix GRE detection
- Fix bridging with kernel drivers
- Fix SYN proxy MITM
- Fix conversion of the device name to the system device name in Netlink
Options
- Add –force-promisc|-4 to force promiscuous in routing mode
- Add –no-tx-stack-injection|-5 and –no-rx-stack-injection|-6 options to disable stack injection in routing mode
API
- New API /tcp/syn/noseqnum/drop to drop SYN with no sequence number
- Add threads info to the /status
- Add stats for traffic discarded due to blacklist in the target stats
- Add more bypass info
- Add offset/limit when requesting for attackers on a target
- Add stats for reforged and injected packets
- Add number of hits for dynamically added IP addresses
- Add human-readable discard reasons in stats
- Fix and optimized attackers pagination, added ‘limit’ parameter
- Fix port number parsing in the URI for high ports
- Fix listing of dynamic attackers IP addresses
- Fix stats when using regexp or * to match multiple targets
GUI
- Add statistics for fragments
- Add more engage/severity indicators
- Redirection to the monitor page on login
- Open monitor.html by default when requesting / from a browser (use /status for the status)
Tools
- nscrub-cli
- Add ability to purge a list by name
- Added CIDR support when loading IP list from file
- Improved nscrub-bl in blacklist generation
- Added warn-list support to detect when some IPs are in a blacklist
- Added whitelist support to filter the blacklist
- Duplicated IPs are now removed
Packages
- Add packages for Debian 11, 12
- Add packages for Ubuntu 20, 22, 24
Misc
- Add nscrub user to the ntop group
- Add UNIT_NAME and INSTANCE_NAME env var to the systemd service
- Fix nscrub-export support for python3