Why Proxmox Needs DDoS Monitoring
Proxmox VE is popular with hosting providers, homelabbers, and small-to-mid-size infrastructure teams. It runs KVM virtual machines and LXC containers on the same hypervisor, often on hardware with 1G or 10G uplinks. A DDoS attack targeting any guest on the node can saturate the physical NIC and affect every other guest.
Proxmox itself has no built-in DDoS detection. Its firewall (pve-firewall) handles access control rules but does not perform traffic baselining, anomaly detection, or automated mitigation. You need something monitoring the traffic continuously and reacting when patterns change.
ftagent solves this by running on the Proxmox host, inside VMs, or inside LXC containers. It reads kernel-level traffic stats every second, builds dynamic baselines, and triggers automated mitigation when attacks cross thresholds.
Hypervisor-Level vs VM-Level Detection
There are two fundamentally different approaches to DDoS detection on Proxmox, and each has trade-offs.
Hypervisor-level (on the Proxmox host)
Install ftagent directly on the Proxmox VE host. The agent monitors the bridge interface (typically vmbr0) and sees all traffic flowing to and from every VM and container on that node.
- One agent covers all guests on the node
- Sees traffic before it enters any VM or container
- Firewall rules on the host affect all guests
- Cannot distinguish which specific guest is the target (aggregate view)
VM/Container-level (inside guests)
Install ftagent inside each Linux VM or LXC container. Each guest gets its own Flowtriq node, its own baseline, and its own independent mitigation.
- Per-tenant visibility: know exactly which guest is targeted
- Independent baselines adapt to each guest's traffic patterns
- Mitigation rules only affect the targeted guest
- Give tenants read-only dashboard access to their own node
- More agents to manage (one per guest)
Many operators combine both approaches: a hypervisor-level agent for aggregate visibility, plus guest-level agents on critical VMs where per-tenant detection matters.
LXC Container Deployment
For LXC containers on Proxmox, ftagent installs the same way as any Linux server:
pip install ftagent --break-system-packages sudo ftagent --setup
Privileged LXC containers work without any extra configuration. For unprivileged containers, you need to grant the NET_ADMIN capability so ftagent can deploy firewall rules. Add this to the container's configuration in /etc/pve/lxc/<id>.conf:
lxc.cap.keep: net_admin sys_ptrace
Without NET_ADMIN, ftagent still runs in limited mode (detection and alerting only, no firewall rule deployment).
KVM VM Deployment
Inside a KVM virtual machine, ftagent runs identically to a bare-metal install. There are no special considerations. Install via pip, run the setup wizard, and the agent starts monitoring the VM's virtual NIC.
PCAP capture, full firewall rule deployment, and all mitigation options work without modification inside KVM guests.
Monitoring a Proxmox Cluster
For multi-node Proxmox clusters, install ftagent on each node. Each Proxmox host gets its own Flowtriq node in the dashboard. You see the entire cluster from one workspace:
- Per-node traffic graphs and baselines
- Per-node incident history
- Per-node mitigation rules
- Aggregate alerts across the cluster
If a VM migrates between Proxmox nodes (live migration), the hypervisor-level agent on the new node picks up the traffic automatically. If you are running guest-level agents, the agent inside the VM continues working regardless of which physical host it runs on.
Getting Started
- Sign up for Flowtriq (14-day free trial)
- Add a node in the dashboard for each Proxmox host or guest
- Install ftagent:
pip install ftagent && sudo ftagent --setup - Or use the Docker image on each node: hub.docker.com/r/flowtriq/ftagent
For the full integration reference, see the Proxmox VE integration page.
Need help? If you have questions about the best deployment model for your Proxmox environment, reach out and we will help you plan the rollout.