Why Self-Hosted Matters
There are legitimate reasons to keep your DDoS detection data on your own infrastructure:
- Data sovereignty: Regulations in some jurisdictions require network telemetry to stay within specific geographic boundaries
- Customer privacy: ISPs and hosting providers may have contractual obligations not to share customer traffic metadata with third parties
- Security policy: Your organization's security policy may prohibit exporting network telemetry to external platforms
- Air-gapped networks: Some environments have no internet connectivity and cannot reach a cloud dashboard
- Competitive intelligence: Your traffic patterns, customer base, and capacity data are competitive information
These are not edge cases. Many ISPs, government networks, financial institutions, and privacy-focused hosting providers have one or more of these constraints.
How ftagent Works Locally
The ftagent runs entirely on your server. It reads kernel-level network counters from /proc and /sys every second. This data never leaves the machine. The agent processes it locally to build baselines, detect anomalies, and classify attacks.
# What ftagent reads (all local kernel data): /proc/net/snmp - TCP/UDP/ICMP protocol counters /proc/net/netstat - Extended TCP statistics /sys/class/net/eth0/ - Per-interface byte/packet counters /proc/net/nf_conntrack - Connection tracking table
The only outbound communication is to the Flowtriq API for dashboard display and alert routing. For fully self-hosted deployments, this communication can be disabled entirely. The agent continues detecting and mitigating locally without any external connectivity.
Local Mitigation
When the agent detects an attack, it deploys iptables or nftables rules directly on the server. No external service needed. Rules are created, managed, and removed locally:
# ftagent deploys local mitigation: iptables -I FTAGENT -p udp --sport 53 -m length --length 512:65535 -j DROP # Rule added automatically, removed when attack ends
For operators with BGP infrastructure, ftagent can push FlowSpec or RTBH routes to a local ExaBGP or GoBGP instance on your network. The BGP session stays within your infrastructure.
Hybrid Mode
Most operators choose a hybrid approach: the agent runs locally and does all detection and mitigation on the server. It reports summary metrics (PPS, bandwidth, incident status) to the Flowtriq cloud dashboard for centralized visibility and alerting. Raw packet data and PCAP captures stay on the server.
This gives you the centralized dashboard experience without exposing detailed traffic telemetry to external systems. You see which servers are healthy, which are under attack, and what the incident details are. The underlying traffic data stays on your infrastructure.
PCAP Storage
During detected incidents, ftagent captures packets locally and stores PCAPs on the server's filesystem. You control where PCAPs are stored, how long they are retained, and who can access them. The captures are available for analysis with Wireshark, tshark, or the Flowtriq dashboard (if connected).
# PCAP storage configuration: FTAGENT_PCAP_DIR=/var/lib/ftagent/pcap FTAGENT_PCAP_RETENTION=30d FTAGENT_PCAP_MAX_SIZE=10GB
Flow Source Ingestion
For ISPs who want flow-based detection without exporting NetFlow to a cloud service, Flowtriq's flow source can run on your own infrastructure. Point your router flow exports at a server on your network running the Flowtriq flow collector. All flow processing happens on your hardware.
FAQ
Can I run the Flowtriq dashboard on my own server?
The dashboard is currently SaaS-only. For fully self-hosted needs, the agent runs independently with local alerting via webhooks, syslog, or email. Dashboard self-hosting is on the roadmap for enterprise customers.
Does offline mode affect detection quality?
No. All detection logic runs in the agent. The cloud dashboard is for visualization and centralized management. Detection speed, accuracy, and mitigation work identically whether the agent is connected to the cloud or not.
What about updates?
Agent updates are distributed via PyPI or Docker Hub. For air-gapped environments, download the package and install offline.
Keep your data on your infrastructure. ftagent runs locally with full detection and mitigation. Connect to the cloud dashboard for visibility, or run fully offline. Start your free 14-day trial.