VyOS DDoS Detection:
Direct Install vs NetFlow Export

Back to Blog

Two Approaches, Same Result

Most firewall and router platforms give you only one option for DDoS detection: export NetFlow to an external collector. pfSense, OPNsense, MikroTik, Juniper, Cisco: they all work this way because you cannot install arbitrary software on their OS.

VyOS is different. It runs on Debian Linux with a full userspace. Python is installed, systemd is available, and iptables works exactly like it does on any other Linux box. This means you can install ftagent directly on the router and get the same detection capabilities you would get on a bare-metal server.

You can also use the traditional NetFlow export approach if you prefer to keep the router clean. VyOS has built-in flow-accounting that exports NetFlow v5, v9, or IPFIX to any collector.

Both approaches give you full DDoS detection and attack classification. The differences are in detection speed, capture capabilities, and resource usage on the router.

Option 1: Direct Install

Install ftagent directly on VyOS. This is the recommended approach for most deployments.

Setup

SSH into your VyOS router:

curl -sL https://get.flowtriq.com | sudo bash

Or install manually:

sudo pip3 install ftagent
sudo ftagent --setup

During setup, select "direct" mode and specify your WAN interface (e.g., eth0). ftagent starts as a systemd service and begins monitoring immediately.

What you get

• Sub-second detection: ftagent reads kernel counters every second. Attacks are detected in under 1 second, not 15-60 seconds like NetFlow.
• PCAP capture: ftagent can capture full packets during attacks for forensic analysis and abuse reporting.
• On-router firewall rules: When an attack is detected, ftagent deploys iptables rules directly on VyOS to drop attack traffic at the kernel level.
• No external server: Everything runs on the router. No separate Linux host needed.

Resource usage

ftagent uses under 1% CPU and about 100 MB RAM on a typical VyOS router. For routers handling under 1 Gbps of traffic, this is negligible. For high-throughput routers (10 Gbps+), the NetFlow approach may be more appropriate to keep the router's resources focused on packet forwarding.

Option 2: NetFlow Export

Export NetFlow from VyOS to an external Linux host running ftagent. No software installed on the router.

Setup

First, install ftagent on an external Linux host:

curl -sL https://get.flowtriq.com | sudo bash

Then configure VyOS flow-accounting. SSH into VyOS and enter configure mode:

configure

set system flow-accounting interface eth0
set system flow-accounting netflow version 9
set system flow-accounting netflow server 10.0.0.50 port 2055
set system flow-accounting netflow timeout expiry-interval 60
set system flow-accounting netflow source-address 203.0.113.1

commit
save

Replace eth0 with your WAN interface, 10.0.0.50 with your ftagent host IP, and 203.0.113.1 with your VyOS WAN IP.

Use our VyOS setup generator to get these commands pre-filled for your environment.

What you get

• Zero software on the router: VyOS handles only flow export. All analysis runs externally.
• Minimal router overhead: flow-accounting is lightweight and designed for production routers.
• Full attack classification: Same 7+ attack families detected via NetFlow as via direct monitoring.
• Multi-protocol support: NetFlow v5, v9, and IPFIX all work.

Tradeoffs

• 15-60 second detection latency: Flows are batched before export. You lose sub-second detection.
• No PCAP: NetFlow is metadata only. No packet payloads for forensic analysis.
• No on-router firewall rules: ftagent deploys rules on the external host, not on VyOS. For router-level blocking, use BGP FlowSpec.
• Requires external server: You need a Linux host to run ftagent. A VM or small VPS works.

When to Use Which

Here is a practical decision framework:

Use direct install when:

• Your VyOS router handles under 1 Gbps of traffic
• You want the fastest possible detection (sub-second)
• You need PCAP capture for forensic analysis or abuse reports
• You want on-router firewall rules that drop traffic before it reaches downstream servers
• You do not want to manage a separate monitoring server

Use NetFlow export when:

• Your VyOS router handles high throughput (multiple Gbps)
• You want to keep the router as lightweight as possible
• Your VyOS is a virtual appliance with limited CPU/RAM
• You already have a monitoring server you can co-locate ftagent on
• Your organization has a policy against installing third-party software on network devices

For most operators running VyOS on dedicated hardware at moderate traffic levels, direct install is the better choice. You get faster detection, more capabilities, and simpler architecture. Reserve NetFlow mode for situations where router resources are genuinely constrained.

Switching Between Modes

You can switch between modes at any time. There is no lock-in. If you start with NetFlow and later want the faster detection of direct install, just install ftagent on VyOS and remove the flow-accounting configuration. The Flowtriq dashboard node works identically regardless of which mode feeds it data.

You can even run both simultaneously during a transition period: direct install for primary detection, with NetFlow as a secondary feed. ftagent handles deduplication automatically.

BGP Integration

VyOS operators often run BGP sessions with upstream providers. Flowtriq integrates with BGP for automated mitigation:

• BGP FlowSpec: Push granular filtering rules to your BGP peers when an attack is detected. Drop traffic matching the attack signature at the upstream edge.
• RTBH (Remotely Triggered Black Hole): For severe volumetric attacks, announce a blackhole route for the targeted IP to your upstream. Traffic is dropped before it reaches your network.

Both work in direct install and NetFlow mode. The BGP integration is configured in the Flowtriq dashboard under your node's mitigation settings.

Back to Blog

Related Articles