Does DDOS-Guard expose my origin IP?

When properly configured, DDOS-Guard hides your origin server IP behind its proxy network. However, if your origin IP is discovered through DNS history, certificate transparency logs, or other information leaks, attackers can target it directly, bypassing DDOS-Guard entirely. Flowtriq runs on the origin server itself, so it detects and mitigates direct-to-origin attacks regardless of how the attacker found the IP.

How do the pricing models compare?

DDOS-Guard offers plans based on the number of protected domains and bandwidth limits. Flowtriq charges $9.99 per node per month regardless of the number of domains or traffic volume on that server. For operators running many domains on a single server, Flowtriq may be more cost-effective. For operators with one high-traffic domain, DDOS-Guard's pricing may be competitive.

DDOS-Guard vs Flowtriq: Proxy Scrubbing vs Agent-Based Detection

Q: Can Flowtriq protect services that DDOS-Guard cannot?

Yes. DDOS-Guard operates as a reverse proxy, which means it protects HTTP and HTTPS traffic that passes through its infrastructure. Flowtriq runs on the server itself and monitors all traffic regardless of protocol. Game servers (UDP), VoIP (SIP/RTP), mail servers (SMTP), DNS servers, and custom TCP/UDP applications all get the same sub-second detection and automated mitigation.

Back to Blog

Different Protection Models

DDOS-Guard operates as a reverse proxy and content delivery network. Your DNS records point to DDOS-Guard's infrastructure, and all HTTP/HTTPS traffic passes through their network where it is inspected and filtered. Malicious requests are dropped before they reach your origin server. DDOS-Guard also offers L3/L4 protection through GRE tunnel-based traffic diversion for non-HTTP services.

Flowtriq runs directly on your servers. The FTAgent reads kernel-level network statistics every second, detecting DDoS attacks across all protocols and ports. When an attack is detected, it applies local firewall rules (iptables/nftables) within the same second, then can escalate through BGP FlowSpec, RTBH, and cloud scrubbing as the attack grows.

The key distinction: DDOS-Guard protects your servers from upstream traffic by filtering it before it arrives. Flowtriq protects your servers from all traffic by detecting and mitigating directly on the machine. These are complementary approaches, not competing ones.

Architecture Comparison

Dimension	DDOS-Guard	Flowtriq
Protection model	Reverse proxy + CDN + GRE tunnels	On-node agent with 4-level mitigation
HTTP/HTTPS protection	Yes (primary strength)	Yes (via kernel-level detection)
Non-HTTP protocols	GRE tunnel mode for L3/L4	Native detection for all protocols
Origin IP visibility	Hidden behind proxy (if configured correctly)	N/A (runs on the server directly)
Detection speed	Depends on proxy pipeline	Under 1 second per node
Per-server visibility	Per-domain or per-IP	Per-server with independent baselines
PCAP forensics	Not available (traffic cleaned upstream)	Full PCAP for every incident
SSL termination	At DDOS-Guard edge (requires cert upload)	Not required (monitors at network level)

Where DDOS-Guard Fits Well

DDOS-Guard works well for organizations that primarily need HTTP/HTTPS protection and want an external proxy to absorb traffic before it reaches the origin server.

Web-only services where all traffic is HTTP/HTTPS and can be proxied
Organizations that want origin IP hiding as part of their defense strategy
Content-heavy sites that benefit from CDN caching alongside DDoS protection
Budget-focused operators looking for combined CDN + DDoS protection in a single service

Where Flowtriq Fits Well

Flowtriq works well for operators running non-HTTP services, managing multi-node infrastructure, or needing per-server forensics and visibility.

Game servers, VoIP, mail servers and other non-HTTP services that cannot be proxied
Hosting providers managing hundreds of customer servers with different service types
Infrastructure behind existing proxies that needs detection for direct-to-origin attacks
Operators who need PCAP evidence for compliance, incident reporting, or customer communication
Multi-node environments where each server needs independent monitoring and baselines

The Origin IP Problem

Proxy-based services like DDOS-Guard rely on hiding your origin server's real IP address. If an attacker discovers the origin IP through DNS history records, certificate transparency logs, email headers, or other information leaks, they can target it directly, bypassing the proxy entirely.

Flowtriq runs on the origin server itself. If an attacker discovers and targets the origin IP, Flowtriq detects the attack in under 1 second and applies firewall rules locally. This is particularly relevant for operators who have previously exposed their origin IPs or who run services that reveal server addresses by design.

Using Both Together

The strongest posture combines upstream filtering with local detection:

DDOS-Guard filters HTTP/HTTPS traffic upstream before it reaches your servers
Flowtriq monitors each server directly for attacks that bypass the proxy or target non-HTTP services
If origin IPs are discovered, Flowtriq provides the local defense that proxy-based protection cannot
PCAP forensics from Flowtriq document every incident regardless of where the attack was filtered

Try Flowtriq free for 14 days. Agent-based detection for all protocols and ports. Sub-second response, PCAP forensics, and automated mitigation on your existing servers. No credit card required. Start your trial.

FAQ

Is Flowtriq a replacement for DDOS-Guard?

They protect different parts of your infrastructure. DDOS-Guard is a reverse proxy that filters HTTP/HTTPS traffic before it reaches your web server. Flowtriq runs on your servers and detects DDoS attacks across all protocols and ports. For HTTP-only services, either can provide protection. For non-HTTP services, Flowtriq provides coverage that the proxy model does not.

Can Flowtriq protect services that DDOS-Guard cannot?

Yes. DDOS-Guard's primary model is reverse proxy, which covers HTTP and HTTPS. Flowtriq monitors all traffic regardless of protocol. Game servers (UDP), VoIP (SIP/RTP), mail servers (SMTP), DNS, and custom TCP/UDP applications all get the same sub-second detection and automated mitigation.

What if my origin IP gets discovered?

When your origin IP is exposed, proxy-based protection is bypassed. Flowtriq runs on the server itself, so it detects and mitigates direct-to-origin attacks regardless of how the attacker found the IP.

How do pricing models compare?

DDOS-Guard offers plans based on protected domains and bandwidth limits. Flowtriq charges $9.99 per node per month regardless of the number of domains or traffic volume. For operators running many domains on one server, per-node pricing is simpler and often more cost-effective.

Back to Blog

DDOS-Guard vs Flowtriq:Proxy Scrubbing vs Agent-Based Detection

Different Protection Models

Architecture Comparison

Where DDOS-Guard Fits Well

Where Flowtriq Fits Well

The Origin IP Problem

Using Both Together

FAQ

Related Articles

DDOS-Guard Alternative

Nexusguard vs Flowtriq

DDoS protection without Cloudflare

DDOS-Guard vs Flowtriq:
Proxy Scrubbing vs Agent-Based Detection