Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →

Service Port Detection

Service Port Detection is an advanced feature that lets Flowtriq distinguish between traffic hitting your application's service ports (e.g., port 80, 443, 25565) and traffic hitting non-service ports. This enables smarter classification and more surgical blocking during attacks.

What Service Port Detection Does

Without service port detection, all inbound traffic is treated equally. A spike on port 443 (your web server) and a spike on port 53421 (a random port) are analyzed the same way.

With service port detection enabled, the agent knows which ports run your actual services. This enables:

  • Smarter classification: Traffic to service ports is analyzed differently than traffic to non-service ports. A surge on port 443 might be legitimate traffic growth, while a surge on port 53421 is almost certainly an attack.
  • Surgical blocking: Instead of blocking a source IP entirely, the system can block traffic from that source only on non-service ports, preserving legitimate access to your services.
  • Reduced false positives: Legitimate traffic spikes to your service ports are less likely to trigger detection when service ports are configured.

Configuring Service Ports

Service ports are configured per-node from the node detail page, or as workspace-wide defaults in Settings.

Per-Node Configuration

  1. Go to Nodes and click the node you want to configure.
  2. Scroll to the Service Ports section.
  3. Enable service port detection with the toggle.
  4. Add your service ports:
    • Protocol: TCP, UDP, or Both
    • Port: A single port number, comma-separated list, or range (e.g., 80, 80,443, 25565-25575)
    • Label: Optional description (e.g., "Web Server", "Game Server")
  5. Configure sensitivity and response settings (see below).
  6. Click Save.

Workspace Defaults

Set default service port settings for all new nodes in SettingsWorkspace. These defaults are applied when new nodes are created but can be overridden per-node.

Sensitivity Levels

LevelBehavior
StrictLowest threshold. Detects smaller traffic anomalies to non-service ports. Best for servers with very predictable traffic.
StandardBalanced detection. Suitable for most deployments.
RelaxedHigher threshold. Tolerates more traffic variation before triggering. Best for servers with bursty traffic patterns.
CustomSet your own PPS threshold for non-service port traffic.

Response Modes

ModeBehavior
MonitorDetect and alert only. No automatic blocking.
On-NodeBlock traffic on the node itself using local firewall rules.
PipelinePush block rules through the configured mitigation pipeline.
FullApply both on-node and pipeline blocking.

Block Scope

When blocking is enabled, you can choose the scope:

ScopeBehavior
Non-Service OnlyBlock the offending source IP only on non-service ports. Traffic from that IP to your service ports (e.g., port 80) is still allowed. This is the most surgical option.
Full IPBlock the source IP entirely, on all ports.

Block Cooldown

The block cooldown setting controls how long a block remains in place after the triggering traffic subsides. Minimum is 60 seconds. Default is 300 seconds (5 minutes).

Port Format Rules

  • Port values must be between 1 and 65535
  • Use commas for multiple ports: 80,443,8080
  • Use hyphens for ranges: 25565-25575
  • Maximum 15 port entries per rule (iptables multiport limit)

How It Affects Classification

When service port detection is enabled on a node, the incident detail page includes a Service Port section showing:

  • Which service port zone was targeted
  • Top attacking source IPs with per-IP PPS
  • Block actions taken (source IP, block scope, timestamps, expiry, status)

FAQ

Does service port detection add CPU overhead?

Minimal. The agent already inspects packets; service port detection adds a port lookup to the existing analysis pipeline. The overhead is negligible.

What happens if I misconfigure my service ports?

If you forget to include a legitimate service port, traffic to that port would be classified as non-service traffic. This could lead to blocking legitimate traffic if blocking is enabled. Always verify your port list matches your actual services.

Can I configure service ports through the API?

Service port configuration is currently available through the dashboard UI. API support is planned.

ESC