DDoS detection vs protection: what each means
Detection finds attacks. Protection stops them. Some tools do one, some do both. Understanding the difference is critical for choosing the right DDoS solution for your infrastructure.
Categories
Three categories of DDoS tools
Every DDoS tool falls into one of three categories based on what it does when traffic anomalies appear.
Detection-only
Identifies that an attack is happening. Reports the type, volume, and source. Does not take mitigation action automatically.
Tools in this category
- FastNetMon Community Edition
- ntopng
- Darkstat
- vnStat
- Cacti / MRTG / LibreNMS (with threshold alerts)
Limitation: You know you are under attack, but stopping it requires manual intervention or a separate mitigation tool.
Mitigation-only
Absorbs or filters attack traffic. Does not provide per-server detection, classification, or forensics. Requires detection to trigger.
Tools in this category
- Cloudflare Magic Transit
- Akamai Prolexic
- AWS Shield Standard
- Provider-included DDoS protection (OVH VAC, Hetzner)
- Managed scrubbing services
Limitation: You are protected, but you may not know what hit you, which servers were targeted, or have forensic evidence for postmortem analysis.
Integrated (detection + mitigation)
Detects attacks and executes mitigation automatically. Provides full incident lifecycle: detection, classification, evidence capture, mitigation, alerting, audit logging.
Tools in this category
- Flowtriq (agent-based, SaaS, $9.99/node/mo)
- Corero SmartWall (inline hardware, enterprise pricing)
- NETSCOUT Arbor Sightline + TMS (hardware + software, enterprise)
- FastNetMon Advanced (software, bandwidth-licensed)
- Wanguard / Andrisoft (software, sensor-licensed)
Advantage: One system handles the full incident lifecycle. No gap between detecting an attack and responding to it.
Comparison
Side-by-side capability matrix
| Capability | Detection-only | Mitigation-only | Integrated |
|---|---|---|---|
| Identifies attack type | Yes | Sometimes (basic) | Yes (detailed classification) |
| Per-server visibility | Yes (if agent-based) | No (network-level only) | Yes |
| Stops attack traffic | No | Yes | Yes |
| PCAP forensics | Rarely | No | Yes |
| BGP FlowSpec / RTBH | Manual scripts | Provider-managed | Automated |
| On-node firewall rules | No | No | Yes (Flowtriq: 46 types) |
| Cloud scrubbing orchestration | No | Is the scrubbing | Orchestrates scrubbing |
| Alerting (Slack, PagerDuty, etc.) | Basic | Provider dashboard | Yes |
| Audit log for compliance | Rarely | Provider-managed | Yes (hash-chained) |
| Typical cost | Free - $500/mo | $3,000 - $50,000+/mo | $10 - $50,000+/mo |
Positioning
Where Flowtriq fits
Flowtriq = detection + automated mitigation orchestration
Flowtriq detects attacks at the server level and orchestrates mitigation through your existing infrastructure. It does not absorb volumetric floods directly (that is what scrubbing providers do). Instead, it:
- 1. Detects attacks in under 1 second using kernel-level PPS/BPS sampling
- 2. Classifies the attack (type, severity, spoofing, botnet) with confidence scoring
- 3. Executes on-node firewall rules (iptables, nftables, XDP/eBPF) for immediate local filtering
- 4. Announces BGP FlowSpec/RTBH rules to filter traffic at the network edge
- 5. Activates cloud scrubbing providers to absorb volumetric floods that exceed local capacity
The orchestration is the value. Flowtriq replaces the gap between "we detected something" and "someone needs to log in and do something about it" with automated, audited, reversible mitigation.
When detection-only is enough
If your provider already includes DDoS mitigation (OVH VAC, Hetzner Protection), and you just want visibility into what attacks hit your servers, a detection-only tool paired with your provider's protection may suffice. Flowtriq adds value here through forensics (PCAP), classification, and alerting, but the mitigation is handled upstream.
When mitigation-only is enough
If you only serve HTTP/S traffic through a CDN like Cloudflare, and you do not need per-server visibility or forensic evidence, Cloudflare's built-in DDoS protection handles mitigation without a separate detection layer. Add Flowtriq when you need to know what happened (classification, PCAP, audit trail) or protect non-HTTP infrastructure.
When you need both
If you run your own infrastructure (bare metal, VPS, colo), serve non-HTTP protocols (game servers, DNS, VoIP), need per-server forensic evidence, or need automated BGP mitigation without a $50K+ hardware investment, an integrated detection+mitigation tool is the right choice.
Complementary deployments
Flowtriq pairs with mitigation-only tools
Flowtriq is not a Cloudflare substitute. It is a complementary infrastructure-layer tool. Common pairings:
Cloudflare + Flowtriq
Cloudflare proxies and absorbs HTTP/S DDoS traffic at its edge network.
Flowtriq monitors non-HTTP protocols (UDP, DNS, game traffic), provides per-server PCAP forensics, detects attacks that bypass or arrive before Cloudflare proxying, and orchestrates BGP mitigation for infrastructure-layer threats.
Corero + Flowtriq
Corero SmartWall filters attack traffic inline at the network edge before it reaches your servers.
Flowtriq monitors what actually reaches each server behind SmartWall, detects residual or below-threshold attacks, captures server-side PCAPs, and provides per-server alerting and forensics.
AWS Shield + Flowtriq
AWS Shield Standard provides free L3/L4 protection for all AWS resources.
Flowtriq adds per-instance detection, attack classification, PCAP forensics, custom alert channels, and audit logging that Shield Standard does not provide. For non-AWS infrastructure in the same environment, Flowtriq covers what Shield cannot.
Provider protection + Flowtriq
OVH VAC, Hetzner Protection scrub traffic at the network edge.
Flowtriq provides visibility into what attacks hit your servers, forensic evidence (PCAP, classification), and alerting. Provider protection mitigates; Flowtriq tells you what happened and proves it.
FAQ
Common questions
What is the difference between DDoS detection and mitigation?
Detection identifies that an attack is happening: what type, how large, from where. Mitigation stops the attack: firewall rules, BGP announcements, traffic scrubbing. Some tools detect only (FastNetMon Community, ntopng). Some mitigate only (Cloudflare Magic Transit, Akamai Prolexic). Integrated tools do both (Flowtriq, Corero SmartWall, NETSCOUT Arbor).
Is Flowtriq detection-only?
No. Flowtriq provides both detection and automated mitigation. It detects attacks in under 1 second and executes automated mitigation (iptables, nftables, XDP/eBPF), BGP FlowSpec/RTBH announcements, and cloud scrubbing orchestration. Detection and mitigation are both core features.
Does Flowtriq absorb DDoS traffic like Cloudflare?
No. Flowtriq does not sit inline in your traffic path and does not absorb volumetric floods directly. Instead, it orchestrates mitigation: it deploys on-node firewall rules for local filtering, announces BGP FlowSpec/RTBH for network-level filtering, and activates cloud scrubbing providers (Cloudflare, OVH, Hetzner, AWS Shield) for volumetric attacks. The value is automated orchestration across all these mitigation methods.
Can I use Flowtriq with Cloudflare?
Yes. This is a common deployment. Cloudflare proxies and absorbs HTTP/S DDoS traffic. Flowtriq monitors the infrastructure layer: detecting attacks on non-HTTP protocols, providing per-server forensics, and orchestrating mitigation for traffic that does not flow through Cloudflare.
What tools are detection-only?
FastNetMon Community Edition, ntopng, Darkstat, vnStat, and most basic network monitoring tools detect anomalies but do not execute mitigation actions. FastNetMon Advanced and Wanguard add scripted mitigation but require manual configuration and external BGP speakers.
What tools are mitigation-only?
Cloudflare Magic Transit, Akamai Prolexic, AWS Shield Standard, and managed scrubbing services absorb or filter attack traffic but do not provide per-server detection, attack classification, or PCAP forensics. They require something upstream to detect and trigger diversion.
Related
Learn more
Detection and mitigation in one platform.
14-day free trial. Every feature included. No credit card required.