Back to Blog

When an ISP is under attack, the failure modes are unique. Transit links saturate before a single server goes down. BGP sessions destabilize. Customers on shared infrastructure experience packet loss regardless of which specific customer is being targeted. The scale is measured in hundreds of gigabits per second and thousands of BGP prefixes, not individual server CPU graphs.

Detection for ISPs must operate at a different layer than detection for a single server. You need visibility into backbone links, per-customer traffic profiles, BGP routing table changes, and flow telemetry from dozens or hundreds of routers simultaneously. The five tools in this guide cover that landscape from different angles, at very different price points.

Why ISPs have unique DDoS detection needs

General-purpose DDoS detection tools are built around monitoring individual servers or small clusters. ISP-scale detection requires solving fundamentally different problems:

  • Transit saturation before detection: Volumetric attacks can fill a 100G transit link in seconds. If your detection tool requires 30-60 seconds of flow aggregation before firing an alert, the link is already congested by the time you know about the attack.
  • BGP as both a symptom and a remedy: Attacks against ISP customers often manifest in BGP table instability. At the same time, BGP (via RTBH or FlowSpec) is the primary tool for diverting or dropping attack traffic. Detection tools that understand BGP topology and can trigger automated BGP responses are significantly more valuable than those that cannot.
  • Multi-customer isolation: An ISP needs to detect attacks against individual customer prefixes without triggering false positives from neighboring customers. Traffic models must be built per-customer, per-prefix, and in some cases per-port.
  • Backbone-wide visibility: Attack traffic enters from multiple upstream peering points simultaneously. A detection tool that only sees one segment of the network will miss distributed attacks that are under the detection threshold at any single point but collectively saturating capacity.
  • Scrubbing center integration: Many ISPs operate or contract with traffic scrubbing centers. Detection tools must be able to signal scrubbing infrastructure automatically, with diversion and re-injection routing handled via BGP or GRE tunnels.

What ISPs need from a detection tool

Before comparing tools, here is the capability checklist that matters for ISP and carrier environments:

  • Backbone-wide flow visibility (NetFlow, sFlow, IPFIX from multiple routers)
  • BGP automation: remote triggered blackhole (RTBH) and FlowSpec rule injection
  • Multi-customer traffic isolation with per-prefix models
  • Scalability to 100+ nodes and terabit-scale traffic volumes
  • Sub-30-second detection for transit-saturating volumetric attacks
  • Attack classification with enough detail to drive mitigation decisions
  • Forensic export for post-incident analysis and upstream abuse reporting
  • NOC-friendly dashboards with per-customer reporting

The five tools compared

1. Flowtriq

Agent-based per-node detection  •  $9.99/node/month  •  7-day free trial

Flowtriq deploys a lightweight agent directly on servers at exchange points, peering edges, and customer-facing infrastructure. Rather than relying on sampled flow data, the agent monitors at per-second granularity by reading traffic directly from the network interface. This means detection latency is measured in seconds rather than flow export cycles.

What it does well for ISPs: Flowtriq is an excellent fit for ISPs that need server-level detection at IX ports, colocation edge nodes, and peering routers running Linux-based network operating systems. If you manage transit servers, route reflectors on commodity hardware, or customer-facing servers that double as attack surfaces, Flowtriq gives you 1-second detection with automatic attack classification and PCAP forensics. The per-node pricing model ($9.99/node/month monthly, $7.99/node/month annual) scales linearly with deployment size, making it straightforward to expand coverage.

BGP integration: Flowtriq integrates with BGP via webhook-triggered automation. When an attack is detected, a webhook fires to your BGP automation toolchain (ExaBGP, GoBGP, or custom scripts), which injects RTBH or FlowSpec rules. This is not native BGP handling inside Flowtriq itself, but the detection signal is clean and fast enough that automated BGP responses can be triggered within seconds of attack onset.

Limitations: Flowtriq is a per-server tool. It does not ingest NetFlow or sFlow from router interfaces, so it cannot give you backbone-wide aggregate visibility across your entire network fabric. For ISPs that need flow-based analysis across dozens of routers with per-prefix traffic accounting, Flowtriq is most powerful as a complement to a flow-based platform rather than a standalone network-wide solution. It works best at the edges where your servers live.

Best for ISPs: Edge servers, IX presence nodes, peering infrastructure on commodity Linux hardware, and any server-based component of ISP infrastructure where 1-second detection and PCAP forensics are worth more than aggregate flow visibility.

2. Arbor Sightline (NETSCOUT)

Enterprise flow analysis + BGP automation  •  Quote-based, typically $50K-$200K+/year

Arbor Sightline (formerly Peakflow SP) is the established ISP-grade DDoS detection platform. It ingests NetFlow, sFlow, BGP routing data, and SNMP telemetry from across your network fabric to build comprehensive traffic models. Sightline is purpose-built for carrier-scale operations and integrates natively with Arbor TMS (Threat Management System) appliances for automated scrubbing center diversion.

Detection: Profiled detection using learned baselines per-prefix, plus misuse detection with signatures from NETSCOUT's ATLAS threat intelligence network. Detection latency is typically 30-120 seconds, inheriting flow export intervals. For known attack signatures, misuse detection can fire faster.

BGP automation: Native RTBH and FlowSpec announcement. Sightline can automatically divert attack traffic to TMS scrubbing appliances and re-inject clean traffic with no manual intervention. This is the tightest detection-to-mitigation integration available for ISPs.

Limitations: Pricing is a real barrier. Production Sightline deployments typically cost $50,000 to $200,000+ per year including hardware, licensing, and support. It requires dedicated network engineering staff to deploy and operate. For ISPs below Tier 2 scale, the operational complexity and cost are difficult to justify against alternatives.

Best for: Tier 1 and Tier 2 carriers, large national ISPs, and organizations already invested in the NETSCOUT/Arbor ecosystem with existing TMS appliances.

3. Kentik

SaaS network observability with DDoS detection  •  Pricing from ~$3,000/month

Kentik is a cloud-based network observability platform that ingests NetFlow, sFlow, IPFIX, BGP routing tables, and streaming telemetry. DDoS detection is a policy module within the platform, allowing operators to define per-prefix, per-customer, or per-link anomaly thresholds. When a policy fires, Kentik can trigger automated responses through its BGP adapter or webhook integrations.

Multi-AS visibility: Kentik's BGP integration means you can correlate DDoS events with routing topology in real time. This is genuinely useful for ISPs tracking attack traffic back through AS paths and correlating attack sources with BGP peer behavior. The flow data retention (up to 90 days) enables cross-incident analysis that simpler tools cannot match.

Detection speed: Typically 15-60 seconds depending on flow export configuration and policy evaluation frequency. Faster than Arbor for some configurations, but still limited by flow-based architecture.

Limitations: Kentik is a broad network observability platform: you are paying for traffic engineering, peering analysis, capacity planning, and performance monitoring whether or not you need those capabilities. The DDoS detection module is strong but not the platform's primary focus. Pricing starts at approximately $3,000/month and scales with flow volume, which is accessible for mid-size ISPs but not trivial.

Best for: ISPs and multi-AS operators who want DDoS detection within a comprehensive network observability stack, particularly those already using Kentik for traffic engineering and peering analytics.

4. FastNetMon Advanced

Flow-based detection + BGP automation  •  Community Edition (free) / Advanced ~$500-$2,000+/month

FastNetMon is a widely deployed flow-based DDoS detector with a strong record in hosting and ISP environments. The community edition is open source and free; the Advanced commercial edition adds a web dashboard, enhanced BGP automation, more alert integrations, and commercial support. It processes NetFlow v5/v9, IPFIX, sFlow, and mirrored traffic (AF_PACKET or DPDK).

BGP automation: FastNetMon Advanced integrates with ExaBGP and GoBGP for RTBH and FlowSpec injection. When an attack is detected against a target IP, the tool can automatically announce a /32 blackhole community to upstream peers, effectively dropping attack traffic at the network edge before it reaches your infrastructure.

Detection speed: Typically 5-30 seconds. FastNetMon checks traffic every 1 second internally but inherits flow export latency from your router configuration. With aggressive flow export settings (1-5 second intervals), detection can be sub-10-seconds for large volumetric attacks.

Limitations: Detection is threshold-based, not behavioral. Tuning thresholds per-customer and per-prefix requires ongoing manual work. Classification is limited: FastNetMon identifies the target and volume but does not automatically classify attack sub-types with the depth of a packet-level tool. No PCAP capability.

Best for: Hosting providers and small-to-medium ISPs with existing BGP infrastructure who want automated RTBH response without the cost of enterprise platforms. The community edition is a strong starting point for operators willing to handle their own tuning and integration.

5. Wanguard (Andrisoft)

Flow-based detection + mitigation appliance  •  Quote-based, hardware or virtual

Wanguard is a software-based traffic analysis and DDoS detection platform from Romanian developer Andrisoft, with strong adoption among European ISPs and hosting providers. It runs on standard Linux servers and ingests NetFlow, sFlow, and IPFIX. Wanguard Filter can be deployed alongside it for in-line traffic scrubbing on commodity hardware.

What differentiates it: Wanguard includes a built-in web UI (Wansight) for traffic visualization and DDoS event management, which competing open-source tools lack in the base package. BGP blackhole and FlowSpec automation is built in, as is integration with GRE-based scrubbing center diversion. Pricing is quote-based but is generally accessible for mid-market ISPs, making it a cost-effective middle ground between FastNetMon Advanced and Arbor Sightline.

Detection speed: Typically 10-60 seconds, depending on flow export intervals and configured detection sensitivity.

Limitations: Less widely deployed outside Europe, so community resources and third-party integrations are more limited than FastNetMon or Arbor. Detection is flow-based with threshold and anomaly modes; no packet-level classification. Requires dedicated Linux server infrastructure for deployment.

Best for: Mid-size ISPs and hosting providers seeking a cost-effective flow-based detection platform with a built-in web UI, particularly in European markets where Wanguard has an established track record.

Feature comparison

Feature Flowtriq Arbor Sightline Kentik FastNetMon Adv. Wanguard
Detection method Agent (per-server) Flow + BGP + ATLAS Flow + BGP + telemetry Flow (NetFlow/sFlow) Flow (NetFlow/sFlow)
Detection latency ~1 second 30-120 sec 15-60 sec 5-30 sec 10-60 sec
Attack classification Deep (type + vector) Strong (ATLAS sigs) Moderate Volume only Protocol-level
BGP automation (RTBH/FlowSpec) Via webhook Native (TMS) Native adapter Native (ExaBGP) Built-in
PCAP capture Yes (auto, 60s) No (TMS only) No No No
Dashboard SaaS cloud UI On-premise UI SaaS cloud UI Advanced only Built-in (Wansight)
Multi-customer isolation Per-node Per-prefix/customer Per-prefix/policy Per-prefix Per-prefix
Pricing $9.99/node/mo $50K-$200K+/yr ~$3K+/month Free / $500-2K+/mo Quote-based

When to choose each tool

Choose Flowtriq if...

  • You operate servers at exchange points, colocation facilities, or peering edges on Linux-based hardware
  • You need 1-second detection with automatic attack classification and PCAP evidence at each node
  • You want a transparent, predictable pricing model that scales linearly without enterprise contract negotiations
  • Your BGP automation already exists (ExaBGP, GoBGP) and you need a fast, accurate detection signal to trigger it
  • You want to deploy coverage across 5-500 nodes within hours, not weeks

Choose Arbor Sightline if...

  • You are a Tier 1 or Tier 2 carrier with a dedicated NOC, existing TMS appliances, and a six-figure annual budget
  • You need tightly integrated detection-to-scrubbing-center automation with native BGP diversion
  • ATLAS threat intelligence integration is a requirement for your security posture

Choose Kentik if...

  • You need DDoS detection as part of a broader network observability investment covering peering, traffic engineering, and capacity planning
  • Multi-AS BGP correlation and long-term flow data retention are priorities
  • Your budget comfortably accommodates $3,000+/month for an observability platform

Choose FastNetMon Advanced if...

  • You are a hosting provider or small-to-medium ISP with existing BGP infrastructure and flow telemetry
  • Automated RTBH blackhole response is the primary requirement and budget is limited
  • You have engineering capacity to tune thresholds and manage ongoing configuration

Choose Wanguard if...

  • You want a cost-effective flow-based platform with a built-in UI and BGP automation in a single package
  • Your environment is in the mid-market ISP or European hosting segment where Wanguard has existing integrations

Deploy Flowtriq at your edge nodes today

Start with a 7-day free trial. No credit card required. Install the agent in under 5 minutes and have per-second detection with PCAP forensics running on your first node before your coffee gets cold.

Start free trial →

Frequently asked questions

Can ISPs use Flowtriq?

Yes. Flowtriq is actively used by ISPs and transit providers on Linux-based edge infrastructure: servers at internet exchange points, route reflectors on commodity hardware, and customer-facing servers that also serve as attack surfaces. For ISPs that run significant workloads on Linux servers (which describes most modern operators at some layer of the stack), Flowtriq provides the fastest per-server detection available. It is best understood as a complement to flow-based network-wide platforms rather than a replacement for them. Where a flow-based tool gives you aggregate network-level visibility, Flowtriq gives you 1-second detection with PCAP forensics at every server that matters.

How does Flowtriq integrate with BGP?

Flowtriq triggers BGP automation through webhooks. When an attack is detected on a monitored node, Flowtriq fires a structured webhook payload containing the attack classification, target IP, severity, and timestamp. Your BGP automation toolchain (ExaBGP, GoBGP, Bird2, or a custom script) receives this signal and injects the appropriate RTBH or FlowSpec announcement to upstream peers. Because Flowtriq's detection latency is approximately 1 second, the total time from attack onset to BGP announcement is typically under 5 seconds when the webhook handler is running locally. A reference ExaBGP integration script is available in the Flowtriq documentation.

Does Flowtriq work with existing NetFlow infrastructure?

Flowtriq is an agent-based tool and does not ingest NetFlow, sFlow, or IPFIX. It monitors traffic directly at the network interface of each server it is installed on. This means it does not replace or extend your existing NetFlow collection infrastructure, but it also means it provides detection capabilities that flow-based tools cannot: per-second granularity without sampling, automatic PCAP capture, and deep protocol-level attack classification. The two approaches are complementary: flow-based tools give you network-wide aggregate visibility; Flowtriq gives you server-level forensic depth.

What is the minimum deployment size?

There is no minimum. You can start with a single node on the 7-day free trial and expand as needed. Flowtriq is priced at $9.99/node/month (monthly billing) or $7.99/node/month (annual billing), with no minimum seat count, no setup fees, and no long-term contracts required. ISPs often start by deploying Flowtriq on their most exposed edge nodes and expand coverage incrementally as they see value. A typical ISP edge deployment covering 10-20 nodes runs $80-$200/month on the annual plan.

Back to Blog

Related Articles

Guide

ISP DDoS Detection: A Complete Guide

How transit providers and ISPs should think about DDoS detection architecture, from flow telemetry to BGP automation.
Tools

Why Agent-Based Detection Fills the Gaps NetFlow Misses

Flow sampling, aggregation delays, and threshold tuning leave blind spots. Here is what agent-based detection catches that NetFlow does not.
Analysis

The Blind Spots in NetFlow-Based DDoS Detection

Sampling ratios, export intervals, and aggregation windows create detection gaps. A deep look at what flow-based tools routinely miss.