Back to Blog

Why Containers Need DDoS Detection

Containerized workloads face the same DDoS threats as bare-metal servers. A UDP flood aimed at a Docker host saturates the host NIC regardless of how many containers are running behind it. The difference is that container environments often lack the per-host visibility that traditional monitoring provides.

Most container monitoring focuses on application metrics: CPU, memory, request latency. Network-level volumetric attacks are not typically surfaced by Prometheus node exporters or application APM tools. By the time your alerting catches a CPU spike from a flood, the damage is already done.

ftagent fills this gap. It monitors the host network interface at the kernel level, detecting DDoS attacks in under one second, and deploying iptables/nftables rules to drop attack traffic before it reaches your application containers.

The official ftagent Docker image is on Docker Hub. The agent is also available via pip install ftagent for bare-metal installs.

Docker Run

The simplest deployment is a single docker run command:

docker run -d \
  --name ftagent \
  --network host \
  --cap-add NET_ADMIN \
  --cap-add SYS_PTRACE \
  -v /etc/ftagent:/etc/ftagent \
  -v /var/lib/ftagent:/var/lib/ftagent \
  --restart unless-stopped \
  flowtriq/ftagent:latest

Key requirements:

  • --network host: Required so ftagent reads the host's /proc/net/dev, not an isolated container network namespace
  • NET_ADMIN: Required for deploying iptables/nftables firewall rules
  • SYS_PTRACE: Required for PCAP packet capture
  • Volume mounts: Persistent config and PCAP storage

After the container starts, run the setup wizard:

docker exec -it ftagent ftagent --setup

This prompts for your API key and node UUID from the Flowtriq dashboard. The agent begins monitoring within 30 seconds.

Docker Compose

For environments managed with docker-compose, add ftagent as a service:

version: "3.8"
services:
  ftagent:
    image: flowtriq/ftagent:latest
    container_name: ftagent
    network_mode: host
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
    volumes:
      - /etc/ftagent:/etc/ftagent
      - /var/lib/ftagent:/var/lib/ftagent
    restart: unless-stopped

Run docker-compose up -d and ftagent starts alongside your application stack. It monitors the host network without interfering with your other containers.

Kubernetes DaemonSet

For Kubernetes clusters, deploy ftagent as a DaemonSet so one pod runs on every node. This gives you per-node DDoS detection across the entire cluster.

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: ftagent
  namespace: flowtriq
spec:
  selector:
    matchLabels:
      app: ftagent
  template:
    metadata:
      labels:
        app: ftagent
    spec:
      hostNetwork: true
      containers:
      - name: ftagent
        image: flowtriq/ftagent:latest
        securityContext:
          capabilities:
            add: ["NET_ADMIN", "SYS_PTRACE"]
        volumeMounts:
        - name: config
          mountPath: /etc/ftagent
        - name: data
          mountPath: /var/lib/ftagent
      volumes:
      - name: config
        hostPath:
          path: /etc/ftagent
      - name: data
        hostPath:
          path: /var/lib/ftagent

This works on self-managed Kubernetes, EKS, GKE, AKS, and bare-metal k8s. Each node gets its own Flowtriq node in the dashboard with independent detection and mitigation.

For a deeper dive into Kubernetes deployment patterns including sidecar mode and ingress monitoring, see our dedicated Kubernetes DDoS detection guide.

How Mitigation Works in Containers

With host network mode and NET_ADMIN, ftagent deploys firewall rules directly on the Docker host. For traffic routed to Docker containers, rules are applied in the DOCKER-USER iptables chain. This is critical because standard INPUT chain rules do not affect traffic destined for Docker containers.

The agent handles this automatically. You do not need to configure which chain to use. When ftagent detects that Docker is running, it applies mitigation rules in the correct chain.

Getting Started

  1. Sign up for Flowtriq (14-day free trial)
  2. Pull the image: docker pull flowtriq/ftagent:latest
  3. Start the container with the commands above
  4. Run the setup wizard: docker exec -it ftagent ftagent --setup

For the full integration reference, see the Docker/Kubernetes integration page.

Source and packages. The ftagent image is on Docker Hub, the Python package on PyPI, and the source on GitHub.

Back to Blog

Related Articles

Deployment

DDoS detection for Kubernetes clusters

DaemonSet, sidecar, and ingress monitoring patterns for k8s environments.
Integrations

Flowtriq Pterodactyl Panel integration

Docker-based game server protection with automatic port sync.
Deployment

DDoS protection for Proxmox VE hosts

Hypervisor-level and per-VM detection for Proxmox environments.