We sell Flowtriq, a purpose-built DDoS detection platform. ntopng is not a direct competitor; it is a network traffic monitoring tool that some operators use as a substitute for DDoS detection. This post explains what users discover about those gaps and how Flowtriq addresses them.
Where ntopng genuinely excels
ntopng is a genuinely excellent network monitoring tool. It provides real-time traffic visibility, protocol breakdowns, flow analysis, and host-level statistics with a well-designed web interface. For understanding what traffic is flowing through your network, identifying bandwidth hogs, troubleshooting connectivity issues, and monitoring network health, ntopng is one of the best tools available.
It is open source, it has an active community, and the ntop team has been building network analysis tools for over two decades. The deep packet inspection engine is impressive, and the protocol detection covers hundreds of applications.
The issue is not that ntopng is bad. The issue is that people try to use it as something it was never designed to be: a DDoS detection and mitigation platform.
No BGP blackhole capability
The most fundamental gap for DDoS response is the absence of BGP mitigation integration.
"[This tool] is great for seeing what's happening, but when you're under attack, it can't do anything about it. There's no BGP blackhole, no FlowSpec, no automated mitigation. You're watching your network get hammered and then manually scrambling to push routes."
DDoS detection without automated mitigation is a monitoring dashboard, not a defense system. When an attack hits, the value of detection depends entirely on how quickly mitigation follows. If mitigation requires a human to SSH into a router, type BGP commands, and announce blackhole routes manually, the response time is measured in minutes at best.
Flowtriq detects attacks and triggers BGP FlowSpec, RTBH, firewall rules, or cloud scrubbing automatically. The detection-to-mitigation path is automated and fires within seconds. The operator is notified, but mitigation does not wait for human intervention.
UDP fragments: 20 Gbps of invisible traffic
One of the most surprising gaps in ntopng for DDoS use is its handling of UDP fragments.
"We had a 20 Gbit attack that was completely invisible in [this tool]. The traffic was all UDP fragments, and the analysis engine just did not account for it. We only knew we were under attack because our upstream provider called us."
UDP fragmentation is a common component of amplification attacks. Attackers generate large responses from open resolvers (DNS, NTP, CLDAP), and these responses get fragmented in transit. A monitoring tool that does not properly account for fragmented UDP traffic misses a significant portion of DDoS attack volume. When the tool says you are receiving 5 Gbps but your upstream sees 25 Gbps, the gap is often in fragmented traffic.
Flowtriq monitors at the kernel counter level, which captures all traffic including fragments. The packet counts in /proc/net/snmp and the byte counts on the interface do not care about fragmentation. What the kernel sees, the agent reports.
Alerting limitations in the community edition
ntopng's community edition has significant alerting limitations that affect DDoS use cases.
"The free version has very basic alerting. Threshold-based alerts on traffic volume, but no multi-channel routing, no severity levels, no integration with PagerDuty or OpsGenie."
"To get real alerting, you need the Enterprise edition, which changes the cost equation significantly. At that point, you're paying for a network monitoring tool and still not getting DDoS-specific detection."
Flowtriq includes multi-channel alerting out of the box: Slack, Discord, PagerDuty, OpsGenie, SMS, email, and generic webhooks. Alert routing is severity-based, so SYN floods can page the on-call engineer while port scans go to a Slack channel. There is no free tier with limited alerting and a paid tier with full alerting. Every node gets the same alerting capabilities.
Resource intensity
Users consistently report that ntopng is resource-hungry, particularly at higher traffic volumes.
"[This tool] uses a lot of RAM and CPU. Monitoring a 10 Gbps link on a modest server was pushing limits. The deep packet inspection is thorough, but it comes at a resource cost."
"We had to dedicate a beefy server just for monitoring. The hardware cost was higher than we expected for a 'free' tool."
ntopng's resource usage comes from its deep packet inspection engine, which analyzes application-layer protocols across all traffic. This is precisely what makes it great for network monitoring. But if your primary goal is DDoS detection, you do not need to classify every flow by application protocol. Flowtriq agents are lightweight because they focus on detection-relevant metrics: PPS, BPS, connection rates, protocol distribution, and kernel counters. The agent footprint is minimal on the servers it monitors.
Requires a human watching
Multiple users note that ntopng is fundamentally a visibility tool, not an automated response system.
"Someone has to be watching the dashboard to catch an attack. There's no automated response, no runbooks, no escalation. If it's 3 AM and nobody is looking at the screen, the attack runs until someone notices."
This is the core difference between a monitoring tool and a detection platform. ntopng gives you visibility. Flowtriq gives you visibility plus automated response. Detection fires, mitigation triggers, alerts go out, and the attack is being addressed before a human opens a dashboard. The dashboard exists for review and investigation, not as the primary detection mechanism.
No attack classification
"When traffic spikes, [this tool] tells you traffic is high. It doesn't tell you whether it's a SYN flood, a UDP amplification, a DNS reflection, or legitimate traffic surge from a marketing campaign."
Attack classification determines what mitigation action is appropriate. A SYN flood requires different treatment than a UDP amplification, which requires different treatment than a DNS reflection. Flowtriq automatically classifies attacks by vector type and can apply vector-specific mitigation rules. Without classification, every response is a blunt instrument.
No PCAP forensics
"We needed packet captures from an attack for our ISP abuse report. [This tool] doesn't capture packets during anomalies automatically. We had to set up a separate tcpdump process and hope we caught the right window."
Flowtriq captures PCAP data automatically during every detected attack. The captures are timestamped, linked to the attack record, and available for download from the dashboard. No manual tcpdump, no hoping you caught the right time window, no separate process to manage.
Keep ntopng for monitoring. Add Flowtriq for DDoS detection.
ntopng and Flowtriq solve different problems. Run both. Per-node DDoS detection at $9.99/month with automated mitigation, PCAP forensics, and BGP integration.
Start Free Trial →When ntopng is the right call (and Flowtriq is not)
If you need general-purpose network monitoring: ntopng is purpose-built for traffic visibility, protocol analysis, and network troubleshooting. Flowtriq is purpose-built for DDoS detection. If your primary need is understanding your network traffic, not defending against attacks, ntopng is the better tool.
If you need deep protocol analysis: ntopng's DPI engine identifies hundreds of application protocols and provides per-flow analysis. Flowtriq does not do application-layer protocol classification. If you need to know how much of your traffic is YouTube vs Netflix vs SSH, ntopng answers that question.
If you want a free, self-hosted monitoring dashboard: ntopng Community Edition is free and provides a capable web interface for traffic monitoring. Flowtriq is a paid SaaS product. If budget is zero and your need is visibility rather than automated DDoS defense, ntopng delivers real value at no cost.
The bottom line
ntopng is an excellent network monitoring tool being asked to fill a role it was never designed for. The "complaints" from users are not really complaints about ntopng. They are descriptions of what happens when you use a monitoring tool as a substitute for a DDoS detection platform.
The right answer for most operators is to run both. Use ntopng for network-wide traffic visibility, protocol analysis, and troubleshooting. Use Flowtriq for DDoS detection, automated mitigation, PCAP forensics, and incident response. They solve different problems, and they complement each other well.