Back to Blog

Why Grafana for DDoS Monitoring

The Flowtriq dashboard gives you everything you need for DDoS detection and incident response. But many teams already have Grafana as their central observability platform, with dashboards for CPU, memory, latency, and uptime. Adding DDoS metrics to Grafana means your NOC can monitor network security alongside infrastructure health in a single pane of glass.

Flowtriq exposes a Prometheus-compatible metrics endpoint on every node. You can scrape these metrics into your existing Prometheus instance and build Grafana panels that show traffic volume, attack events, protocol distribution, and top source IPs. This guide walks through the entire setup, from Prometheus scrape configuration to production-ready Grafana dashboard panels.

Prerequisites

  • Flowtriq agent running on at least one node with the Prometheus exporter enabled
  • A Prometheus instance (v2.30+) with network access to your Flowtriq nodes
  • Grafana (v9+) connected to your Prometheus data source

Step 1: Enable the Prometheus Exporter

The Flowtriq agent exposes metrics on port 9184 by default. Verify the exporter is running by checking the metrics endpoint:

curl http://localhost:9184/metrics

You should see Prometheus-formatted metrics. If the endpoint is not responding, enable the exporter in your agent configuration:

# /etc/flowtriq/agent.yml
prometheus:
  enabled: true
  listen: "0.0.0.0:9184"
  path: "/metrics"

Restart the agent after changing the configuration. For detailed exporter setup and the full list of available metrics, see our Prometheus metrics guide.

Step 2: Configure Prometheus Scraping

Add a scrape job for Flowtriq to your Prometheus configuration:

# prometheus.yml
scrape_configs:
  - job_name: 'flowtriq'
    scrape_interval: 10s
    static_configs:
      - targets:
        - 'node-01.example.com:9184'
        - 'node-02.example.com:9184'
        - 'node-03.example.com:9184'
    relabel_configs:
      - source_labels: [__address__]
        regex: '(.+):9184'
        target_label: 'node'
        replacement: '${1}'

A 10-second scrape interval gives you near-real-time visibility during attacks. For environments with many nodes, consider using Prometheus service discovery (Consul, DNS, or file-based) instead of static targets.

If your Prometheus instance and Flowtriq nodes are on different networks, ensure port 9184 is open in your firewall rules. Restrict access to your Prometheus server's IP to prevent unauthorized metric scraping.

Key Metrics and Labels

Flowtriq exposes the following metrics, all prefixed with flowtriq_:

flowtriq_traffic_pps           # Packets per second (gauge)
flowtriq_traffic_bps           # Bits per second (gauge)
flowtriq_traffic_fps           # Flows per second (gauge)
flowtriq_attack_active         # Currently active attacks (gauge, 0 or 1)
flowtriq_attack_total          # Total attacks detected (counter)
flowtriq_attack_duration_seconds  # Attack duration histogram
flowtriq_baseline_pps          # Current baseline PPS (gauge)
flowtriq_baseline_bps          # Current baseline BPS (gauge)
flowtriq_protocol_pps          # PPS broken down by protocol (gauge)
flowtriq_top_sources_pps       # PPS from top source IPs (gauge)

Common labels across all metrics include node (the Flowtriq node ID), interface (the monitored network interface), and direction (inbound or outbound). Attack-specific metrics also include severity, vector, and target_ip.

Step 3: Build Grafana Dashboard Panels

Create a new Grafana dashboard and add the following panels. We will provide the PromQL query for each one.

Panel 1: Traffic Overview (Time Series)

This is the primary panel: a time series graph showing inbound packets per second across all nodes. During an attack, the spike is immediately visible.

# Inbound PPS across all nodes
sum(flowtriq_traffic_pps{direction="inbound"}) by (node)

# Inbound BPS (toggle with a Grafana variable)
sum(flowtriq_traffic_bps{direction="inbound"}) by (node)

Set the panel to show both PPS and BPS using a Grafana variable dropdown. Use the "Bytes (SI)" unit for BPS and a custom "pps" unit for the PPS axis. Stack the series if you want to see aggregate traffic across nodes.

Panel 2: Baseline Comparison (Time Series)

Overlay actual traffic against the Flowtriq baseline to visualize how far an anomaly deviates from normal:

# Actual vs baseline for a specific node
flowtriq_traffic_pps{node="edge-gw-01", direction="inbound"}
flowtriq_baseline_pps{node="edge-gw-01", direction="inbound"}

Use a template variable for the node selector so operators can switch between nodes. Color the baseline series in a muted tone (gray or light blue) and the actual traffic in a brighter color.

Panel 3: Attack Timeline (State Timeline)

The state timeline panel shows when attacks are active across your infrastructure:

flowtriq_attack_active{direction="inbound"}

Configure value mappings: 0 maps to "Normal" (green), 1 maps to "Under Attack" (red). This panel gives the NOC an instant overview of which nodes are currently under attack and for how long.

Panel 4: Protocol Distribution (Pie Chart)

See the protocol breakdown of current traffic:

sum(flowtriq_protocol_pps{direction="inbound"}) by (protocol)

During normal operation this panel shows your expected protocol mix. During an attack, one protocol (typically UDP or TCP SYN) dominates the chart, giving a quick vector identification.

Panel 5: Top Source IPs (Table)

Show the top traffic sources during an attack:

topk(10, flowtriq_top_sources_pps{direction="inbound"})

Format this as a table panel sorted by PPS descending. During normal traffic, this shows your highest-volume legitimate sources. During an attack, it reveals the top offenders.

Panel 6: Attack Count Over Time (Stat)

Track how many attacks have been detected in the selected time range:

sum(increase(flowtriq_attack_total[${__range}]))

Use a Stat panel with a large font size. This gives leadership a quick KPI for attack frequency.

Step 4: Grafana Alerting (Optional)

While Flowtriq has its own alerting system (Slack, Discord, PagerDuty), you can also create Grafana alerts based on the Prometheus metrics. This is useful if your team already has Grafana alerting workflows configured.

# Alert when any node's inbound PPS exceeds 5x the baseline
sum(flowtriq_traffic_pps{direction="inbound"}) by (node)
  /
sum(flowtriq_baseline_pps{direction="inbound"}) by (node)
  > 5

Set the evaluation interval to 10 seconds and the "For" duration to 30 seconds to avoid alerting on brief spikes. Route the Grafana alert to your existing notification channels.

Grafana alerting is a complement to Flowtriq's built-in alerts, not a replacement. Flowtriq's detection engine uses multi-factor analysis (baseline deviation, duration, pattern matching) that a simple PromQL threshold cannot replicate. Use Grafana alerts for additional visibility, not as your primary detection mechanism.

Recording Rules for Performance

If you have many nodes, pre-aggregating metrics with Prometheus recording rules improves Grafana query performance:

# prometheus_rules.yml
groups:
  - name: flowtriq_aggregations
    interval: 10s
    rules:
      - record: flowtriq:traffic_pps:sum_by_node
        expr: sum(flowtriq_traffic_pps{direction="inbound"}) by (node)
      - record: flowtriq:traffic_bps:sum_by_node
        expr: sum(flowtriq_traffic_bps{direction="inbound"}) by (node)
      - record: flowtriq:attack_active:sum
        expr: sum(flowtriq_attack_active) by (node)
      - record: flowtriq:baseline_ratio
        expr: >
          sum(flowtriq_traffic_pps{direction="inbound"}) by (node)
          /
          clamp_min(sum(flowtriq_baseline_pps{direction="inbound"}) by (node), 1)

Reference these recording rules in your Grafana panels instead of the raw metrics. The dashboard will load faster, especially over long time ranges.

Importing the Pre-Built Dashboard

We publish a pre-built Grafana dashboard JSON that includes all the panels described above. Import it from the Flowtriq dashboard under Settings > Integrations > Grafana, or download it directly:

curl -o flowtriq-grafana.json \
  https://flowtriq.com/integrations/grafana/dashboard.json

In Grafana, go to Dashboards > Import and upload the JSON file. Select your Prometheus data source when prompted. The dashboard includes template variables for node selection, time range, and metric type (PPS vs BPS).

Tip: For long-term metric storage, consider using Thanos, Cortex, or Grafana Mimir as a Prometheus backend. Flowtriq metrics are lightweight (roughly 500 bytes per scrape per node), so storage costs are minimal even with a 10-second scrape interval.

Prometheus metrics and Grafana integration are available on all Flowtriq plans at $9.99/node/month. The pre-built dashboard is free to download and customize. Start your free trial and have DDoS metrics in Grafana within minutes.

Back to Blog

Related Articles

Integrations

Export Flowtriq DDoS metrics to Prometheus

Complete reference for the Prometheus exporter: metrics, labels, recording rules, and alert rules.
Engineering

DDoS monitoring stack integration

How Flowtriq fits into your existing observability stack alongside Prometheus and Grafana.
Integrations

PagerDuty escalation policies for DDoS incidents

Severity-based escalation so only real attacks page the on-call engineer.