Review of RioRey DDoS Mitigation Hardware

RioRey hardware has been part of JavaPipe’s arsenal in the fight against Distributed Denial of Service attacks for almost 3 years now.

We utilize this hardware solution with our remote DDoS attack protection and protected dedicated servers. We currently own RS10s and RS30s to protect our US and Romanian location.

With this experience we decided to provide a public review of RioRey hardware/software in the most unbiased form possible. It is our goal to help others in their decision when purchasing DDoS mitigation solutions.

Managing RioRey Devices with rWeb

We utilize the rWeb appliance to manage multiple devices. This is a web interface that provides real time statistics and fine grained control over 28-30 different filter adjustments for different types of attacks. RioRey provides this management/monitoring system as a 1RU server appliance.

Personally I feel this could be a simple VM appliance that you can install but RioRey seems protective of their intellectual property and prefers to provide hardware with their software solutions.

The parts we appreciate most about the rWeb is the ability to manage multiple customers and the DDoS filtering of their individual IPs. The breakdown is customer, zone, and then IP. So under a customer you can configure multiple zones and in those zones you can have multiple IPs.

However, each zone is a filtering set, so if you have 5 IPs in a zone the filtering in that zone will affect those 5 IPs the same. So if we need special filtering for a particular IP then we can create a new zone for that individual IP.

DDoS protection filter customization

Within a zone, you have statistics related to just that zone. Stats also provide you with precisely what kind of ddos type is being used to attack the IPs in that zone. You have the ability to adjust filtering precisely for 25-30 different types of the most common DDoS as well as custom regex entries to accommodating oddballs.

You can also whitelist and blacklist IPs by range, country, or just individual IP. The amount of detail within the zone provides extremely valuable information about the attacks.

You can generate pcaps for any particular IP to analyze with wireshark to help configure the filtering if the zone information is not providing what you need to make necessary tweaks.

DDoS attack traffic statistics

When you first log into the rWeb you are confronted with a dashboard. You can see overall statistics for individual RioRey devices as well as the individual victims that are currently under attack. However, the web interface leaves a lot to be desired. It looks like it was designed in 1995 however It is somewhat intuitive.

Getting from here and there between different customers and their zones can be a bit tedious. For example you go to one screen to search a customer, you can select the zone to view, then to view another zone, you have to search again for the same customer and select the other zone.

Optionally you can view customer and select a zone within the customer, so there are more than one way of getting around.


You can setup notifications to alert your team or customer via email. When ddos type is detected at certian threshold it will send email notification. It does not allow you to configure notification for a particular zone regardless of type of attack, instead you set threshold parameters for alerts per filter type.

Due to this design, we found it useless. It would be too time consuming to set notifications per filter type. We would prefer to send notification of regardless of type of DDoS based on a certain threshold for an entire zone. Having the notification per zone based on your set threshold would make it convenient to provide different protection levels for your customers.

For example, perhaps a customer only wants to pay for protection of 5Gbps or some 500Kpps, then you would could set up a notification for that level for the zone itself. Unfortunately its not doable at this time.


DDoS attack reports

RioRey reports can be automatically generated daily, weekly or monthly and sent via email for any particular customer.

These reports are quite extensive and include just about everything you could imagine about the attacks on your IPs.

While Riorey has gone above and beyond with that, the size of the reports have been a bit more than our customers care for.

We are talking some 30 page reports! The data the RioRey devices accumulate for these reports can cause bottleneck issues with the system resources over time. This solution could benefit for simplier reports that are easier for customers to read and understand. I think RioRey built this with legal ramifications in mind.

The Hardware

The RS10 comes with one 10Gbps uplink and an external Silcon bypass while the RS30 includes 3 X 10Gbps with two built in bypass and one external for the third 10Gbps. Riorey provides clear documentation on how to set this up, cabling and configuration. We place ours after the router and before the switch.

As a result all traffic passes through the Riorey hardware before reaching the rack, switch and then servers. Since this created a single point of failure, the bypass is added to insure redundancy for the network traffic.

So if you have hardware failure in the RioRey unit, traffic is automatically rerouted through the bypass until the RS unit can be serviced. The RS10 Silicon bypass unit didn’t work as well for us at JavaPipe as it probably should have and we had some issues with this.

The problem we experienced is when getting the unit to reroute the traffic often took up to 20-30 minutes. However, the the newer RS30 works flawlessly and instantly. I believe RioRey no longer sells the Silicon bypass version.

To accommodate the RS10 bypass flaw, we simply request an onsite technician to move the fiber cable from RS10 to switch and back when needed. So unfortunately customers do experience a short outage as a result.

Other than that, the RS10 has been rock solid, working well at handling high demands of constant barrage of DDoS attacks under 10Gbps and 2Mpps.

How Good is RioRey’s DDoS Mitigation Hardware?

DDoS Mitigation hardware

Overall RioRey is a good DDoS mitigation platform but they do have their faults. We’ve found this to be true with most devices in the industry. Unfortunately, there is no such thing as a perfect DDoS mitigation machine. However, Riorey provides a lot of flexibility in the tools to tweak the filtering to provide custom filtering per IP.

This is what makes it truly powerful for the perspective of an ISP who needs to provide ddos protection for different types of businesses from websites, game servers, video streaming and chat services.

The cost of the Riorey solution can be quite high, but the pricing is competitive compared to other devices in the industry. The high cost of these devices are frustrating because on top of that the DDoS attack bandwidth costs can add up to atrocious monthly fees. This is what we’ve had hard time getting customers to pay their fair share of the service and still be competitive.

The RioRey solution is 80% software and 20% hardware. Then RioRey provides frequent updates to combat new types of DDoS as well as improve the features within the rWeb. These updates as well as hardware warranty can be extended forever as long as you keep up with the yearly maintenance fees. These are generally about 9% of the initial cost of the unit.

Overall, we at JavaPipe have been happy with the RioRey solutions. We have also taken advantage of their API which is being utilized within our GuardPanel solution to provide configuration automation with rWeb and DDoS statistics for our customers.

Share this post: