Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode NEW
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications NEW
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services Compliance
Home/ Features/ Mirror / SPAN Mode

Mirror / SPAN Mode

One SPAN port.
Every IP protected.

Connect a single monitoring server to your switch's SPAN port and detect DDoS attacks targeting any IP in the segment. Independent per-IP baselines, concurrent multi-IP incident tracking, and full protocol classification. The same approach used by FastNetMon, built natively into Flowtriq.

100K+
IPs Tracked Per Node
1s
Per-IP Detection Cadence
0
Per-Server Agents Required

How It Works

Per-IP detection from mirrored traffic.

Configure your switch to mirror traffic from uplink ports to a dedicated monitoring NIC. The FTAgent captures every packet using Linux AF_PACKET with PACKET_FANOUT for multi-thread scaling, parses Ethernet/IP/TCP/UDP headers in real time, and maintains per-destination-IP traffic counters.

Each destination IP gets its own independent baseline using the same sliding-window p99 algorithm as agent mode. When any IP's PPS exceeds its individual threshold, an incident is opened for that specific IP with full protocol classification, source IP analysis, and optional BPF-filtered PCAP capture.

Multiple IPs can be under simultaneous attack with separate incident lifecycles. The dashboard shows a real-time per-IP traffic table with status indicators, baseline/threshold values, and protocol mix breakdowns.

Capture BackendAF_PACKET (Linux) or tcpdump fallback
Protocols ParsedIPv4, IPv6, TCP, UDP, ICMP, GRE
Frame TypesEthernet, 802.1Q VLAN, QinQ
Max Tracked IPs100,000 per window (configurable)
Baseline Window5 minutes (configurable)
Detection CadenceEvery 1 second per IP
GRE DecapsulationUp to 3 layers deep (auto or manual)
Subnet FilteringOptional CIDR-based destination filter
mirror-config.json
{ "mirror_mode": true, "mirror_interface": "eth1", "mirror_subnets": [ "10.0.0.0/24", "192.168.1.0/24" ], "mirror_ip_labels": { "10.0.0.10": "Web Server", "10.0.0.20": "DB Server" }, "mirror_capture_mode": "af_packet" }

Monitoring Modes

Three ways to monitor. Pick what fits your network.

Agent Mode

Install the FTAgent on each server. Monitors its own traffic via kernel counters. Best for individual servers and VPS.

Mirror / SPAN Mode

One monitoring server captures mirrored traffic from a switch SPAN port. Per-IP detection across an entire segment. Best for network operators.

Flow Mode

Ingest sFlow, NetFlow, or IPFIX from routers. Sampled upstream visibility without packet capture. Best for transit networks.

vs. FastNetMon

Built for the same use case. Designed for modern teams.

FastNetMon popularized SPAN-based DDoS detection. Flowtriq's mirror mode provides the same per-IP monitoring capability with a modern cloud dashboard, per-IP baseline learning, multi-channel alerting, automated runbooks, and a full REST API.

Typical SPAN Monitor

  • Static per-IP thresholds
  • CLI-only configuration
  • Single notification channel
  • No per-IP forensics
  • Manual threshold tuning

Flowtriq Mirror Mode

  • Dynamic per-IP baselines (p99 x 3)
  • Web dashboard + full REST API
  • 12+ alert channels + escalation
  • Per-IP PCAP + protocol classification
  • Automatic baseline learning
ftagent mirror-mode log
[INFO] Mirror Agent starting on SPAN interface eth1 [INFO] AF_PACKET capture with 4 fanout workers [INFO] Monitoring subnets: 10.0.0.0/24 [INFO] Baseline building for 47 destination IPs... [INFO] Per-IP baselines ready (47 IPs tracked) [WARN] MIRROR ATTACK DETECTED on 10.0.0.10 (Web Server) PPS=8,650 threshold=450 family=udp_flood [INFO] Incident opened: 712e467e-47b4... [INFO] PCAP capture started (dst host 10.0.0.10) [WARN] MIRROR ATTACK ENDED on 10.0.0.10 duration=74s peak=8,650 PPS subtype=volumetric

FAQ

Common questions

How is mirror mode different from agent mode?

In agent mode, the FTAgent runs on each server and monitors its own traffic via /proc/net/dev. In mirror mode, a single FTAgent instance captures packets from a SPAN/mirror port and detects attacks targeting any destination IP in the monitored segment. Each IP gets its own independent baseline and threshold.

What kind of switch/router configuration do I need?

You need a switch or router that supports port mirroring (SPAN), RSPAN, or a network TAP. Configure it to copy traffic from your uplink or specific VLANs to a dedicated monitoring port, then connect a server running the FTAgent to that port.

Can mirror mode handle high packet rates?

Yes. The capture engine uses AF_PACKET with PACKET_FANOUT for multi-thread distribution on Linux, handling millions of packets per second. For extremely high-volume environments, a tcpdump fallback mode is also available.

What happens when an attack is detected on one IP?

Each destination IP is tracked independently. When one IP exceeds its per-IP threshold, an incident is opened for that specific IP. Other IPs on the same segment continue to be monitored normally. Multiple IPs can be under attack simultaneously with separate incidents.

Can I use mirror mode alongside flow collection?

Yes. Mirror mode can operate with AF_PACKET capture from a SPAN port, sFlow/NetFlow/IPFIX from routers, or both. When both sources are available, the agent merges them per-IP and uses the higher reading for each destination.

How does baseline learning work per-IP?

Each destination IP gets its own BaselineManager instance with a sliding window (default 5 minutes). The agent learns each IP's normal traffic pattern independently, so a web server at 10K PPS and a database at 200 PPS each get appropriate thresholds. New IPs use a 10K PPS absolute floor until their baseline is established.

Related Features

Works with everything else in Flowtriq.

Flow Collection

Supplement mirror capture with sFlow/NetFlow/IPFIX from routers for hybrid visibility.

BGP Mitigation

Auto-deploy FlowSpec or RTBH blackhole rules when mirror mode detects an attack.

PCAP Capture

BPF-filtered packet capture per attacked IP for forensic analysis.

FAQ

Frequently Asked Questions

How is mirror mode different from agent mode?

In agent mode, the FTAgent runs on each server and monitors its own traffic via /proc/net/dev. In mirror mode, a single FTAgent instance captures packets from a SPAN/mirror port and detects attacks targeting any destination IP in the monitored segment. Each IP gets its own independent baseline and threshold.

What kind of switch/router configuration do I need?

You need a switch or router that supports port mirroring (SPAN), RSPAN, or a network TAP. Configure it to copy traffic from your uplink or specific VLANs to a dedicated monitoring port, then connect a server running the FTAgent to that port.

Can mirror mode handle high packet rates?

Yes. The capture engine uses AF_PACKET with PACKET_FANOUT for multi-thread distribution on Linux, handling millions of packets per second. For extremely high-volume environments, a tcpdump fallback mode is also available.

What happens when an attack is detected on one IP?

Each destination IP is tracked independently. When one IP exceeds its per-IP threshold, an incident is opened for that specific IP. Other IPs on the same segment continue to be monitored normally. Multiple IPs can be under attack simultaneously with separate incidents.

Can I use mirror mode alongside flow collection?

Yes. Mirror mode can operate with AF_PACKET capture from a SPAN port, sFlow/NetFlow/IPFIX from routers, or both. When both sources are available, the agent merges them per-IP and uses the higher reading for each destination.

How does baseline learning work per-IP?

Each destination IP gets its own BaselineManager instance with a sliding window (default 5 minutes). The agent learns each IP's normal traffic pattern independently, so a web server at 10K PPS and a database at 200 PPS each get appropriate thresholds. New IPs use a 10K PPS absolute floor until their baseline is established.