Service Port Detection
Service Port Detection is an advanced feature that lets Flowtriq distinguish between traffic hitting your application's service ports (e.g., port 80, 443, 25565) and traffic hitting non-service ports. This enables smarter classification and more surgical blocking during attacks.
What Service Port Detection Does
Without service port detection, all inbound traffic is treated equally. A spike on port 443 (your web server) and a spike on port 53421 (a random port) are analyzed the same way.
With service port detection enabled, the agent knows which ports run your actual services. This enables:
- Smarter classification: Traffic to service ports is analyzed differently than traffic to non-service ports. A surge on port 443 might be legitimate traffic growth, while a surge on port 53421 is almost certainly an attack.
- Surgical blocking: Instead of blocking a source IP entirely, the system can block traffic from that source only on non-service ports, preserving legitimate access to your services.
- Reduced false positives: Legitimate traffic spikes to your service ports are less likely to trigger detection when service ports are configured.
Configuring Service Ports
Service ports are configured per-node from the node detail page, or as workspace-wide defaults in Settings.
Per-Node Configuration
- Go to Nodes and click the node you want to configure.
- Scroll to the Service Ports section.
- Enable service port detection with the toggle.
- Add your service ports:
- Protocol: TCP, UDP, or Both
- Port: A single port number, comma-separated list, or range (e.g.,
80,80,443,25565-25575) - Label: Optional description (e.g., "Web Server", "Game Server")
- Configure sensitivity and response settings (see below).
- Click Save.
Workspace Defaults
Set default service port settings for all new nodes in Settings → Workspace. These defaults are applied when new nodes are created but can be overridden per-node.
Sensitivity Levels
| Level | Behavior |
|---|---|
| Strict | Lowest threshold. Detects smaller traffic anomalies to non-service ports. Best for servers with very predictable traffic. |
| Standard | Balanced detection. Suitable for most deployments. |
| Relaxed | Higher threshold. Tolerates more traffic variation before triggering. Best for servers with bursty traffic patterns. |
| Custom | Set your own PPS threshold for non-service port traffic. |
Response Modes
| Mode | Behavior |
|---|---|
| Monitor | Detect and alert only. No automatic blocking. |
| On-Node | Block traffic on the node itself using local firewall rules. |
| Pipeline | Push block rules through the configured mitigation pipeline. |
| Full | Apply both on-node and pipeline blocking. |
Block Scope
When blocking is enabled, you can choose the scope:
| Scope | Behavior |
|---|---|
| Non-Service Only | Block the offending source IP only on non-service ports. Traffic from that IP to your service ports (e.g., port 80) is still allowed. This is the most surgical option. |
| Full IP | Block the source IP entirely, on all ports. |
Block Cooldown
The block cooldown setting controls how long a block remains in place after the triggering traffic subsides. Minimum is 60 seconds. Default is 300 seconds (5 minutes).
Port Format Rules
- Port values must be between 1 and 65535
- Use commas for multiple ports:
80,443,8080 - Use hyphens for ranges:
25565-25575 - Maximum 15 port entries per rule (iptables multiport limit)
How It Affects Classification
When service port detection is enabled on a node, the incident detail page includes a Service Port section showing:
- Which service port zone was targeted
- Top attacking source IPs with per-IP PPS
- Block actions taken (source IP, block scope, timestamps, expiry, status)
FAQ
Does service port detection add CPU overhead?
Minimal. The agent already inspects packets; service port detection adds a port lookup to the existing analysis pipeline. The overhead is negligible.
What happens if I misconfigure my service ports?
If you forget to include a legitimate service port, traffic to that port would be classified as non-service traffic. This could lead to blocking legitimate traffic if blocking is enabled. Always verify your port list matches your actual services.
Can I configure service ports through the API?
Service port configuration is currently available through the dashboard UI. API support is planned.