Confidence Scoring
How Flowtriq distinguishes real attacks from traffic anomalies
What Confidence Means
Every incident in Flowtriq receives a confidence score from 0 to 100. This score represents how certain the system is that the detected traffic anomaly is a genuine DDoS attack rather than a legitimate traffic spike. The score is computed at the end of each incident using multiple independent signals.
Higher confidence means more corroborating evidence. A score of 85 means the system found strong evidence across several dimensions (traffic volume, protocol patterns, source analysis, packet characteristics). A score of 35 means the threshold was crossed but few other signals confirmed malicious intent.
How Confidence Is Calculated
The score starts at a base of 30 and adds or subtracts points based on these factors:
| Signal | Points | Logic |
|---|---|---|
| PPS/threshold ratio | +0 to +25 | Adds min(25, ratio * 5). An attack at 5x the threshold gets full +25. An attack barely above threshold gets +5. |
| Source IP count > 5,000 | +10 | Large distributed attack from many sources is unlikely to be legitimate. |
| Source IP count > 1,000 | +5 | Moderate distribution. Fewer points because legitimate CDN or API traffic can have 1,000+ sources. |
| Protocol dominance > 80% | +10 | Single-protocol floods (95% UDP, 98% SYN-only TCP) are more suspicious than mixed traffic. |
| Packet size uniformity (std < 50 bytes) | +10 | Attack tools produce packets of identical size. Legitimate traffic has varied packet sizes. |
| Duration > 60 seconds | +5 | Longer attacks are more likely intentional. |
| Duration < 15 seconds | -10 | Very short events are often noise (BGP reconvergence, cache flush). |
| IOC pattern matches | +0 to +20 | Each distinct IOC match adds confidence, capped at +20. Matching a known Mirai payload is strong evidence. |
| Spoofing detected | +10 | High TTL entropy combined with high source entropy indicates spoofed source IPs. |
| Botnet detected | +10 | More than 5,000 unique source IPs or a known botnet family signature match. |
The final score is clamped to the range 0-100.
Example Calculations
Per-Source-IP Confidence
Beyond the incident-level score, the agent also computes a confidence score for each individual source IP in the top-20 sources. This helps identify which IPs are most likely attackers vs caught-up bystanders:
| Signal | Points |
|---|---|
| Packet contribution > 5% of total | +30 |
| Packet contribution > 2% of total | +15 |
| SYN-only (TCP with SYN flag, no ACK) | +25 |
| Single TTL value across 50+ packets | +20 |
| Single protocol only (all TCP, or all UDP) | +10 |
| Packet count > 500 in window | +15 |
Confidence Threshold for Mitigation
When automated mitigation is enabled (BGP FlowSpec, RTBH, cloud scrubbing), the system checks the incident confidence score against the confidence threshold before deploying rules. The default threshold is 0.65 (65 out of 100).
Configure this in Dashboard → Scrubbing → Escalation Settings → Confidence Threshold. The value ranges from 0.10 to 1.00.
Choosing a Threshold
| Threshold | Trade-off | Best for |
|---|---|---|
| 0.40 - 0.50 | Aggressive. Mitigates quickly but may act on ambiguous events. | Game servers, real-time services where any disruption is unacceptable |
| 0.60 - 0.70 (default) | Balanced. Requires solid evidence before deploying rules. | Most production workloads |
| 0.80 - 0.90 | Conservative. Only mitigates high-confidence attacks. | Environments where false-positive mitigation is worse than the attack itself |
Using Confidence to Filter Alerts
Escalation policies (see Escalation Policies) can route alerts based on severity, which is derived from confidence and peak PPS. You can also filter incidents in the dashboard by confidence range to focus on confirmed attacks during post-incident review.