Glossary
Definitions for DDoS, network security, and Flowtriq-specific terms. Each entry includes a one-sentence definition, a technical explanation, and how the concept applies in Flowtriq where relevant.
ftagent #
ftagent is a lightweight Python package that installs via pip install ftagent. It reads kernel-level PPS/BPS every second, classifies attacks across 7 families, executes automated mitigation (iptables, nftables, XDP/eBPF, cloud APIs), captures PCAPs with a pre-attack ring buffer, and dispatches alerts wherever your NOC works. Resource usage is under 0.1% CPU and under 30 MB RAM. Requires any modern Linux distribution (Ubuntu 20.04+, Debian 11+, CentOS 8+).
ftagent-lite #
ftagent-lite outputs real-time PPS/BPS with protocol breakdown (TCP/UDP/ICMP) and source IP tracking to the terminal. It supports JSON output for scripting. It does not include dashboard connectivity, alerting, PCAP capture, mitigation, or BGP functionality. It is a standalone monitoring tool.
Node #
A node is a Linux server, VM, container, or network appliance with ftagent installed. Each node has its own traffic baseline, detection threshold, and incident history. Pricing is per node ($9.99/month).
Workspace #
A workspace contains nodes, incidents, alert configurations, team members, and audit logs. Each workspace is isolated from others. Multi-workspace setups are used by MSPs and hosting providers serving multiple customers.
Incident #
An incident is created when traffic on a node crosses the detection threshold. It includes the attack family classification, confidence score, peak PPS/BPS, affected protocols, source IP analysis, PCAP data, mitigation actions taken, and a full timeline from detection to resolution.
Dynamic Baselines #
Flowtriq uses a 300-sample sliding window with p99 percentile calculation to track each node's traffic pattern. The window collects one PPS sample per second and recalculates the p99 every 10 ticks (~10 seconds). The detection threshold defaults to 3x the p99 PPS. This means every node gets an independent, continuously updated threshold without manual configuration. Baselines converge within approximately 5 minutes of agent startup.
Attack Profiles #
Attack profiles let you define which firewall rules, BGP actions, and cloud scrubbing triggers should execute for specific attack families (UDP flood, SYN flood, HTTP flood, etc.). When Flowtriq classifies an attack, it matches the classification to a profile and executes the configured response automatically.
Flow Source #
Flow sources provide network-wide traffic visibility from the router level rather than per-server. One flow source equals one device sending flow data. Pricing is separate from per-node pricing and starts at $19/source/month with volume discounts.
Mirror Mode / SPAN Mode #
Instead of installing an agent on every server, Mirror Mode connects to a switch's mirror/SPAN port and builds independent baselines for each destination IP it observes. This provides per-IP DDoS detection across an entire subnet from a single monitoring point.
BGP FlowSpec #
BGP FlowSpec (RFC 5575 / RFC 8955) allows a BGP speaker to announce fine-grained traffic filtering rules (match on source/destination IP, port, protocol, packet length, DSCP) to downstream routers. Unlike RTBH, which drops all traffic to a destination, FlowSpec can selectively rate-limit or drop specific traffic types while allowing legitimate traffic through. Supported by most modern network operating systems (Junos, IOS-XR, FRRouting, BIRD 2).
RTBH (Remote Triggered Black Hole) #
RTBH works by announcing a /32 route with a well-known community (typically 65535:666) to upstream routers. Those routers install a blackhole route, discarding all traffic to that IP before it consumes bandwidth. RTBH is a last-resort mitigation: it stops the attack but also drops legitimate traffic to the target IP. It is fast (takes effect as soon as the BGP announcement propagates) and does not require any special hardware.
sFlow #
sFlow (RFC 3176) samples 1-in-N packets on switch/router interfaces and exports them as UDP datagrams to a collector. Unlike NetFlow, sFlow is stateless (no flow table on the device) and samples packets rather than tracking flows. This makes it lightweight on network hardware and suitable for high-throughput environments. sFlow v5 is the current version.
NetFlow #
NetFlow tracks unidirectional flows (defined by source/destination IP, ports, protocol, and interface) and exports summary records to a collector. NetFlow v5 exports fixed-format records; NetFlow v9 uses templates for flexible field definitions. NetFlow is flow-based (aggregated) rather than packet-sampled, which means it provides less granularity than sFlow but requires fewer resources on the collector.
IPFIX #
IPFIX (IP Flow Information Export, RFC 7011) is the standardized successor to NetFlow v9. It uses the same template-based architecture but adds enterprise-specific information elements, variable-length fields, and SCTP transport options. Most modern routers and switches support IPFIX alongside or instead of NetFlow.
BGP (Border Gateway Protocol) #
BGP (RFC 4271) is the protocol ISPs and large networks use to exchange routing information. Every prefix reachable on the internet is announced via BGP. In DDoS mitigation, BGP is used to redirect traffic (via RTBH or FlowSpec) or divert it to scrubbing centers. BGP-based mitigation is powerful because it operates at the network edge, dropping or filtering attack traffic before it reaches its target.
DDoS (Distributed Denial of Service) #
DDoS attacks flood a server, network, or application with more traffic than it can handle. "Distributed" means the traffic comes from many sources (a botnet, reflectors, or spoofed IPs), making it harder to block. DDoS attacks operate at different network layers: L3/L4 attacks (volumetric floods) target bandwidth and connection capacity; L7 attacks target application resources like HTTP request processing.
L3/L4 Attacks (Volumetric Floods) #
L3/L4 attacks include UDP floods, SYN floods, ICMP floods, DNS amplification, and NTP reflection. These attacks aim to saturate bandwidth or exhaust connection state tables. They are measured in packets per second (PPS) and bits per second (BPS). Most DDoS attacks are L3/L4.
L7 Attacks (Application-Layer Floods) #
L7 attacks send legitimate-looking requests (HTTP GETs, POSTs, API calls) at high volume to exhaust server CPU, memory, or database connections. They often use low bandwidth and low PPS, making them harder to detect with network-layer monitoring alone. HTTP floods are the most common L7 attack type.
UDP Flood #
UDP floods are the most common DDoS attack type. They include direct floods, amplification attacks (memcached, NTP, SSDP, CLDAP, DNS), and reflection attacks. Because UDP is connectionless, source IPs are easily spoofed, and there is no handshake to rate-limit.
SYN Flood #
SYN floods exploit the TCP three-way handshake by sending SYN packets without completing the handshake (never sending the final ACK). This fills the server's half-open connection table, preventing legitimate connections. Modern kernels mitigate SYN floods with SYN cookies, but high-volume SYN floods can still saturate bandwidth.
Amplification Attack #
The attacker sends small requests with a spoofed source IP (the target's IP) to public servers running protocols like DNS, NTP, memcached, or SSDP. These servers reply with much larger responses directed at the target. Amplification factors range from 2x (SSDP) to over 50,000x (memcached). This turns a small amount of attacker bandwidth into a massive volumetric flood.
IP Spoofing #
Most volumetric DDoS attacks use spoofed source IPs, which means the source addresses in attack packets are fake. This makes tracing the attack origin difficult and enables amplification/reflection attacks. Spoofing is detectable through TTL analysis: packets from the same source IP but with inconsistent TTLs indicate spoofing.
DDoS Mitigation #
Mitigation methods include on-host firewall rules (iptables, nftables), network-level filtering (BGP FlowSpec, ACLs), traffic blackholing (RTBH), traffic diversion to scrubbing centers, rate limiting, and application-layer rules. Effective mitigation often combines multiple methods: local rules for immediate response, BGP announcements for network-wide protection, and scrubbing for volumetric attacks that exceed local capacity.
Scrubbing / Scrubbing Center #
Traffic scrubbing works by diverting the target's incoming traffic (usually via BGP) through a scrubbing center. The scrubbing center inspects each packet, drops attack traffic, and forwards clean traffic back to the origin. Scrubbing is used for volumetric attacks that exceed the target's local bandwidth. Scrubbing providers include Cloudflare Magic Transit, OVH VAC, Hetzner, and AWS Shield Advanced.
XDP/eBPF #
XDP (eXpress Data Path) uses eBPF programs attached to the network driver to process packets at the earliest possible point in the kernel, before socket buffers are allocated. This enables packet filtering at speeds approaching line rate with minimal CPU overhead. XDP can drop, redirect, or modify packets without involving the full network stack.
SYN Cookies #
When SYN cookies are enabled, the kernel encodes connection parameters into the SYN-ACK sequence number instead of storing them in the connection table. The server only allocates connection state when it receives a valid ACK containing the correct cookie. This prevents SYN floods from exhausting the half-open connection table.
Null Routing (Blackholing) #
Local null routing adds a route that sends traffic to a destination IP to /dev/null on the server itself. At the network level, RTBH achieves the same effect across multiple routers via BGP. Null routing stops attack traffic but also drops all legitimate traffic to the target. It is a last-resort mitigation for situations where preserving the rest of the network outweighs the impact on a single IP.
Rate Limiting #
Rate limiting can be applied at multiple levels: per-source IP (iptables hashlimit), per-protocol (BGP FlowSpec rate-limit), or per-application (nginx limit_req). It reduces attack impact while allowing some traffic through, making it less disruptive than a full block or blackhole.
Agent-Based Detection #
In agent-based detection, a lightweight process on each server reads traffic metrics directly from the kernel, providing per-server visibility with zero sampling. This contrasts with flow-based detection, which relies on sampled flow records from routers. Agent-based detection sees every packet that reaches the server, provides per-node baselines, and can execute local mitigation rules without network-level access.
/proc/net/dev every second.Flow-Based Detection #
Flow-based detection processes sFlow, NetFlow, or IPFIX records from network devices. It provides network-wide visibility (all traffic passing through a router) but is subject to sampling ratios (e.g., 1-in-1,000 packets). Flow-based detection is the approach used by tools like FastNetMon, Wanguard, and Kentik.
EWMA (Exponentially Weighted Moving Average) #
EWMA smooths time-series data by applying an exponential decay to older observations. The smoothing factor α controls how quickly the average responds to changes: higher α makes it more responsive (tracks recent changes), lower α makes it more stable (resists noise). EWMA is widely used for anomaly detection because it adapts to changing baselines without storing full history.
PPS (Packets Per Second) #
PPS measures the packet rate rather than bandwidth. Small-packet attacks (SYN floods, ACK floods) can overwhelm a server's CPU and NIC processing capacity even at low bandwidth. A server might handle 10 Gbps of large packets but fail at 500K PPS of small packets. PPS is often the more relevant detection metric.
BPS (Bits Per Second) #
BPS measures how much bandwidth an attack consumes. Volumetric attacks (UDP floods, amplification) aim to saturate the target's uplink capacity. BPS is the primary metric for volumetric attacks and determines when BGP-level mitigation (FlowSpec, RTBH, scrubbing) should activate.
Confidence Scoring #
Confidence scoring accounts for ambiguity in attack classification. A traffic spike that clearly matches a known UDP flood pattern might score 95% confidence. A spike with mixed protocol characteristics might score 60%. Confidence scores help operators prioritize response: high-confidence incidents trigger automatic mitigation; lower-confidence events may warrant manual review.
PCAP (Packet Capture) #
PCAP files contain full packet data (headers and payload) captured from a network interface. They can be analyzed in tools like Wireshark and tshark. PCAP captures provide forensic evidence of what traffic was on the wire during an incident, including exact packet contents, timing, source/destination addresses, and protocol details.
Pre-Attack Ring Buffer #
Most capture tools start recording when detection triggers. This means the initial attack packets that caused the threshold crossing are lost. A ring buffer continuously records the most recent N packets, overwriting old data. When detection fires, the ring buffer contents become the first section of the PCAP, providing forensic evidence of the attack's first moments.
Audit Log (Hash-Chained) #
In a hash-chained audit log, each entry includes a SHA-256 hash computed over the previous entry plus all current fields. Modifying any entry breaks the chain from that point forward, making tampering detectable. This provides non-repudiation evidence for compliance frameworks (SOC 2, PCI-DSS, HIPAA, NIS2).
Related
Learn more
See these concepts in action.
14-day free trial. Every feature included. No credit card required.