Two Different Jobs
Akvorado is a network flow analytics platform built by Bleemeo (now maintained as open source). It ingests NetFlow, sFlow, or IPFIX from your routers, enriches flow data with BGP information and GeoIP, and provides a beautiful ClickHouse-backed analytics interface for exploring traffic patterns over time. It is genuinely excellent at what it does: understanding normal traffic behavior, debugging routing issues, auditing peering relationships, and doing post-hoc analysis on what your network looks like.
What Akvorado does not do is detect attacks, classify them, alert on them in real time, or stop them. It is an analytics and observability tool — it shows you data after the fact, at flow export granularity, on sampled traffic. If you are building a network operations setup from open-source tools, Akvorado is a natural part of that stack.
Flowtriq is a DDoS detection and response platform. It runs a lightweight agent on each server, monitors traffic at one-second granularity on every packet, classifies attack types, fires alerts through your preferred channels within seconds, captures PCAP automatically, and applies targeted mitigation rules that keep services online. It does not replace Akvorado's analytics — it does not try to. It adds the detection, alerting, and response layer that Akvorado explicitly does not cover.
These tools are not in competition. They are complementary by design. Running them together gives you something better than either alone: full network analytics visibility through Akvorado, and fast per-server attack detection and response through Flowtriq.
The Stack
Notice that Akvorado and Flowtriq operate at different layers and on different data sources. Akvorado receives flow telemetry from your routers and sees aggregate network-wide traffic. Flowtriq receives nothing from your routers — it reads directly from each server's network interface. They do not interfere with each other and require no coordination beyond the integration points described below.
Why Each Tool Has Blind Spots the Other Fills
What Akvorado sees that Flowtriq doesn't
Akvorado gets flow exports from your routers, which means it sees aggregate traffic across your entire network — not just individual servers. It can show you traffic trends across your full IP space, peering relationships, AS-level traffic distribution, and changes in routing over time. If you are an ISP or hosting provider with multiple uplinks and want to understand how traffic is distributed across your network, Akvorado provides visibility that per-server agents cannot.
Akvorado's time-series analytics are also valuable for post-hoc investigation. After an incident, you can go into Akvorado and explore what traffic looked like before, during, and after the event at the network-wide level — which source ASNs were sending traffic, how it was distributed across your IP space, and what changed in routing during the event. This is genuinely useful operational context.
What Flowtriq sees that Akvorado doesn't
Flow sampling means Akvorado sees a statistical representation of your traffic, not the actual traffic. At 1:1000 sampling, a 5-second attack on a single server may generate too few flow records to trigger any anomaly detection. Akvorado is not built for real-time DDoS detection — it is not trying to be. Its ClickHouse backend is optimized for analytical queries over historical data, not sub-second anomaly detection.
Flowtriq sees every packet on each server. Detection fires in one second. The full source IP census is exact, not sampled. Attack classification — NTP amplification vs DNS amplification vs SYN flood vs UDP flood — is automated and confidence-scored. PCAP is captured automatically for every incident. And crucially, mitigation is applied immediately: targeted firewall rules that filter attack traffic while preserving legitimate traffic, with the server staying online throughout.
The practical mental model: Akvorado answers "what does my network normally look like and how has it changed?" Flowtriq answers "is something attacking one of my servers right now, what exactly is it, and what should I do about it?" Different questions, different tools, fully complementary.
Setting Up the Stack
Both tools install independently. There is no required coordination between them, but there are a few integration points that make the combined stack more useful. Here is the full setup.
Deploy Akvorado
Akvorado's recommended deployment is via Docker Compose. The project ships a reference docker-compose.yml that brings up the Akvorado inlet (flow receiver), ClickHouse (storage), Kafka (optional, for high-volume deployments), and the web console. The full setup is documented in the Akvorado GitHub repository.
Configure your routers or a dedicated NetFlow probe to export NetFlow v9, sFlow, or IPFIX to the Akvorado inlet port (default: 2055/UDP for NetFlow). Akvorado will automatically enrich flows with BGP data (configure a BGP session from your router to Akvorado's BMP/BGP collector) and GeoIP from MaxMind.
For operators without flow-exporting router infrastructure, a software NetFlow exporter (such as softflowd or pmacctd) running on a gateway server can generate flows from mirrored traffic. Akvorado works with any standard NetFlow/sFlow/IPFIX source.
Install Flowtriq agents on your servers
On each server you want to protect, install the Flowtriq agent with a single command:
pip install ftagent --break-system-packages
The agent auto-detects network interfaces, registers with the Flowtriq platform, and begins building a dynamic traffic baseline immediately. Conservative detection thresholds are active from install; they tighten automatically as the 24–72 hour baseline matures. No flow infrastructure, no BGP configuration, no router changes required.
If you are running multiple servers, you can automate the install across your fleet with Ansible, Puppet, a simple shell script over SSH, or your preferred configuration management tool. The install command is the same on any Linux distribution with Python 3.7+.
Configure Flowtriq alert channels
In the Flowtriq dashboard, connect your preferred notification channels under Settings → Alerts. For teams already using Slack or Discord for operations, the respective integrations take about two minutes. PagerDuty and OpsGenie integrations support automatic incident creation and resolution, enabling proper on-call escalation workflows. Configure per-severity thresholds so critical attacks page on-call immediately while lower-severity events post to a channel for review.
Link Flowtriq incidents back to Akvorado
This is where the two tools start working together actively. Flowtriq's webhook integration lets you send structured incident payloads to any endpoint. When an attack is detected on a server, the webhook payload includes the server's IP, the incident start time, attack classification, and peak metrics.
Configure a webhook in Flowtriq (Settings → Webhooks) that appends an Akvorado deep-link URL to your Slack or incident management notification — something like:
https://your-akvorado.example.com/visualize?start={{incident_start_minus_5m}}&end={{incident_end_plus_5m}}&filter=DstAddr%3D{{server_ip}}
When an attack fires in Flowtriq, the alert message in Slack includes a direct link that opens Akvorado pre-filtered to that server's traffic for the attack window. Your team gets both the Flowtriq incident view (exact classification, source IPs, PCAP download) and the Akvorado network-wide view (how the attack looked at the router level, what upstream ASNs were sending traffic) in a single click.
Even without a custom webhook, you can manually cross-reference incidents: note the Flowtriq incident time and filter Akvorado by destination IP and the relevant time window. The Akvorado view will show the same attack spike from the router's perspective — lower granularity than Flowtriq's per-second data, but useful for understanding network-wide impact.
Optionally connect BGP mitigation
If you have upstream BGP capability (your own ASN and a transit provider that supports FlowSpec or RTBH), you can configure Flowtriq to push mitigation routes automatically when attacks exceed a configured severity threshold.
Flowtriq supports ExaBGP, GoBGP, BIRD 2, and FRRouting as BGP adapter backends. Configure the adapter in the Flowtriq dashboard under Integrations → BGP, point it at your ExaBGP or GoBGP instance, and define which attack severities trigger upstream mitigation vs local firewall rules only. For most operators, local firewall rules handle attacks that do not saturate the uplink; upstream BGP is reserved for volumetric attacks that would otherwise overwhelm the link before on-server rules can filter.
If you are running Akvorado with a BGP collector session already configured, you can reuse the same BGP infrastructure — Akvorado for traffic enrichment, Flowtriq for mitigation signaling — through the same ExaBGP instance.
Investigating an Attack with Both Tools
Here is what the combined workflow looks like when an attack fires. At 14:22:09, a SYN flood targeting a server at 203.0.113.45 hits 280,000 SYN/s from 14,000 source IPs.
Flowtriq (second 1): Alert fires. Classification: SYN Flood, confidence 91%. On-server mitigation rule triggers: rate-limit inbound SYN packets to 5,000/s from source IPs with no established session history. Server stays online. PagerDuty incident created. Slack message sent with attack classification, source country breakdown (US 31%, CN 18%, RU 14%, BR 9%), peak metrics, and a direct link to the Flowtriq incident page. PCAP capture starts with 30-second pre-attack buffer.
Akvorado (available during and after): The Akvorado link in the Slack message opens to the attack window pre-filtered. Akvorado shows the same spike from the router perspective: aggregate traffic to 203.0.113.45 spiked to 4.2 Gbps at 14:22. Flow data shows traffic originating from transit AS 174 (Cogent) dominated the incoming volume, with smaller contributions from two other uplinks. Top source ASNs visible in flow data (approximate due to sampling, but useful for understanding the botnet's upstream distribution). If BGP RTBH is triggered, Akvorado will show the traffic drop to zero when the blackhole route propagates.
After the incident, Flowtriq provides the forensic detail: exact source IP list, confidence-scored classification, PCAP file for submission to abuse desks. Akvorado provides the network-wide context: which uplinks carried attack traffic, how the attack volume compared to your normal traffic baseline on that IP, and what the traffic pattern looked like at the router level. Together, they give you a complete picture at both the server level and the network level.
Comparison: Akvorado Alone vs Flowtriq Alone vs Both
Akvorado alone: Excellent network analytics. Understand traffic trends, peering, routing, and historical patterns. No real-time attack detection. No per-server visibility below flow sampling granularity. No alerting. No mitigation. Post-hoc investigation only.
Flowtriq alone: Production DDoS detection and response on each server. One-second detection, attack classification, PCAP forensics, automatic mitigation, multi-channel alerting. No aggregate network-wide traffic analytics. No BGP-enriched flow data. No historical traffic exploration UI.
Both together: Full-stack network observability. Akvorado handles the "what does my network look like" question with analytics-grade depth. Flowtriq handles the "is something attacking me right now" question with sub-second response. Investigations use both: Flowtriq for the attack detail and forensics, Akvorado for network-wide context and upstream visibility. The two tools complement without overlapping, and both are free to configure independently.
Infrastructure Requirements
Akvorado requires a server with enough CPU and memory to handle your flow volume and run ClickHouse (typically 4+ cores, 16+ GB RAM for modest deployments; more for high-volume ISP environments). A dedicated server or VM for Akvorado is recommended in production. You also need routers or switches capable of exporting NetFlow, sFlow, or IPFIX — or a software NetFlow exporter on a gateway machine.
Flowtriq requires only the servers you want to protect. The agent is lightweight (typically under 1% CPU on modern hardware), installs in under two minutes, and has no additional infrastructure prerequisites. No dedicated server, no database, no flow infrastructure, no BGP session for basic detection.
This means you can run the full combined stack — Akvorado for analytics, Flowtriq for detection — without any hardware beyond what you already have. The Akvorado server handles analytics for your router flow data; Flowtriq handles per-server protection without touching that infrastructure at all.
Frequently Asked Questions
Does Flowtriq conflict with Akvorado's flow collection?
No. Flowtriq does not generate or consume NetFlow/sFlow data and does not interact with your router flow export infrastructure at all. Akvorado collects flows from your routers; Flowtriq reads traffic directly from server network interfaces. They operate on completely separate data paths and do not interfere with each other.
Can Akvorado detect DDoS attacks?
Akvorado can surface large volumetric anomalies in its analytics UI, and an experienced operator watching the dashboard may notice unusual traffic spikes. It is not designed for real-time automated detection — it does not fire alerts, it does not classify attacks, and it does not apply mitigation. For automated detection and response, Flowtriq is the right layer to add on top of Akvorado.
Can I share BGP infrastructure between Akvorado and Flowtriq?
Yes. If you have ExaBGP or GoBGP running for Akvorado's BGP collection (for route enrichment), Flowtriq can use the same ExaBGP instance as a BGP adapter for RTBH or FlowSpec mitigation signaling. Configure Flowtriq's BGP adapter to send mitigation announcements through the same ExaBGP process, using a different peer or community to distinguish mitigation routes from collection sessions.
What if I don't have flow infrastructure for Akvorado?
You can deploy Flowtriq without Akvorado entirely — Flowtriq has no dependency on flow infrastructure. If you want to add Akvorado later, a software flow exporter like softflowd can generate NetFlow from a gateway server's mirrored traffic and feed Akvorado without requiring managed switching hardware. The two tools are fully independent and can be adopted in either order.
Add the detection layer to your open-source stack
Flowtriq installs in under 2 minutes on any Linux server. Keep Akvorado for analytics — add Flowtriq for 1-second detection, classification, PCAP, and automated mitigation. 7-day free trial, no credit card.
Start Free Trial →