Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →

GRE Tunnel & Deduplication

Accurate traffic stats on GRE-tunneled interfaces

When GRE Dedup Is Needed

GRE (Generic Routing Encapsulation, IP protocol 47) tunnels wrap each packet in an additional IP + GRE header layer. On servers receiving traffic through GRE tunnels, the same traffic appears at multiple layers. Without deduplication, bandwidth and PPS stats are inflated by 10-25% due to the header overhead, and attack detection thresholds become inaccurate.

Common scenarios that require GRE dedup:

  • DDoS scrubbing providers that deliver clean traffic via GRE tunnels
  • Hosting providers using GRE for customer traffic isolation
  • VPN and overlay networks (IPsec over GRE, VXLAN over GRE)
  • Data center interconnects using GRE tunnels

How It Works

The GRE decapsulator strips outer IP + GRE headers from packets for stats calculation only. The original packet with all encapsulation layers is always preserved in PCAP forensic captures.

Decapsulation Process

  1. Check if the packet has a GRE layer (IP protocol 47)
  2. Parse the GRE header flags (checksum, key, sequence number) to determine header length
  3. Extract the inner payload (the actual customer packet)
  4. Use the inner packet length for BPS calculations
  5. Repeat for nested GRE (up to gre_max_depth layers, default 3)

BPS Correction

Each tick, the decapsulator tracks outer bytes vs inner bytes. The overhead ratio is computed as:

overhead_ratio = (outer_bytes - inner_bytes) / outer_bytes corrected_bps = raw_bps * (1.0 - overhead_ratio)

PPS is not adjusted because one outer GRE packet always contains exactly one inner packet.

Configuration

GRE deduplication is controlled by the gre_mode setting in /etc/ftagent/config.json:

SettingTypeDefaultDescription
gre_modestring"auto""auto" = detect GRE interface on startup, enable if found. "enabled" = always strip GRE headers. "disabled" = never strip (use for bare-metal interfaces).
gre_max_depthint3Maximum nested GRE layers to strip. Handles double/triple GRE encapsulation.

Example config.json

{ "api_key": "...", "node_uuid": "...", "gre_mode": "auto", "gre_max_depth": 3 }

Auto-Detection

When gre_mode is "auto", the agent runs ip -d link show on the monitored interface at startup. If the interface type contains "gre", "gretap", "ip6gre", or "ip6gretap", GRE dedup is enabled automatically.

The agent also runs ip tunnel show on startup to enumerate all GRE tunnels on the system and reports them to the dashboard (remote IP, local IP, tunnel type).

Performance Impact

  • Scapy mode: Negligible overhead. Decapsulation is a simple layer traversal on the existing parsed packet.
  • tcpdump mode: Raw byte parsing without Scapy. The decapsulator parses IP headers and GRE flags directly from bytes, which adds ~50 nanoseconds per packet.
  • Memory: No additional memory. Stats are computed in place using the inner packet reference.

Hypervisor Mode

When both GRE dedup and "hypervisor_mode": true are active, the agent tracks the inner destination IP after stripping GRE headers. This lets you see per-VM traffic breakdowns on a hypervisor that receives all customer traffic through a single GRE tunnel.

Configure VM labels for human-readable names:

{ "gre_mode": "enabled", "hypervisor_mode": true, "vm_labels": { "10.0.0.5": "Customer A - Web", "10.0.0.6": "Customer B - Database", "10.0.0.7": "Customer C - Game Server" } }

Per-VM stats (PPS, BPS, protocol breakdown, source IP count) are pushed to the dashboard every 5 seconds and visible in the node detail view.

Troubleshooting

GRE dedup is enabled but stats still look inflated

  • Check that gre_mode is not "disabled" in your config
  • Run ftagent --debug and look for "GRE dedup: enabled" in the startup output
  • Verify with ip -d link show <interface> that the interface is recognized as a GRE tunnel
  • If using tcpdump mode, the BPS correction relies on sampling. Ensure the agent's packet ring buffer is not dropping samples.

Agent does not detect the GRE interface

  • Some hosting providers use kernel modules that do not expose GRE metadata via iproute2. Set "gre_mode": "enabled" explicitly.
  • If the GRE tunnel is on a different interface than the monitored one, set "interface" to the GRE tunnel interface name.

Nested GRE not being stripped

  • Increase gre_max_depth if you have more than 3 layers of GRE encapsulation (rare but possible in complex overlay networks).
ESC