Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Your Problems, a Comic
Learn
Free Certifications Mirai Botnet Kill Switch State of DDoS 2026 REPORT DDoS Protection Landscape Hackathon Sponsorships
Company
About Us Partners White Label Managed Protection Contact Us System Status
Legal
Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →
Agones 1.0+ GameServer Labels SDK Sidecar API

DDoS Detection for
Agones GameServers

Detect attacks on individual GameServer pods and label them via the Agones SDK sidecar REST API. Use the labels to drain attacked servers, steer matchmaking, and trigger fleet-level automation.

How It Works

Game Server
Under DDoS attack
ftagent sidecar
Detects attack in-pod
Agones SDK sidecar
Labels GameServer CR
Fleet / Autoscaler
Drain + replace

Setup

Get started in three steps

1

Add ftagent as a sidecar

Add the ftagent container to your GameServer pod spec alongside the Agones SDK sidecar. Both containers share the pod network, so ftagent sees the same traffic your game server does.

2

Enable the Agones integration

Set agones_sidecar: true in your ftagent config. The agent will call the SDK sidecar at localhost:59358 to label the GameServer when an attack is detected.

3

Wire up your fleet response

Use Agones FleetAutoscaler policies, allocation label selectors, or your matchmaker to react to the flowtriq.com/under-attack label. Steer players away from attacked servers automatically.

Configuration

GameServer pod spec

Add ftagent as a sidecar container in your Agones GameServer template. The Agones SDK sidecar is already present by default.

# gameserver.yaml
apiVersion: agones.dev/v1
kind: GameServer
metadata:
  name: my-game-server
spec:
  ports:
    - name: default
      containerPort: 7654
      protocol: UDP
  template:
    spec:
      containers:
        - name: game-server
          image: your-game:latest

        # Flowtriq DDoS detection sidecar
        - name: ftagent
          image: flowtriq/ftagent:latest
          securityContext:
            capabilities:
              add: [NET_RAW, NET_ADMIN]
          env:
            - name: FTAGENT_API_KEY
              valueFrom:
                secretKeyRef:
                  name: flowtriq-credentials
                  key: api-key
            - name: FTAGENT_NODE_UUID
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
          volumeMounts:
            - name: ftagent-config
              mountPath: /etc/ftagent
      volumes:
        - name: ftagent-config
          configMap:
            name: ftagent-agones-config
# ftagent ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: ftagent-agones-config
data:
  config.json: |
    {
      "api_key":           "your-api-key",
      "node_uuid":         "",
      "interface":         "auto",
      "agones_sidecar":    true,
      "agones_sidecar_port": 59358
    }

Labels

Labels applied to GameServer

When ftagent detects an attack, it sets these labels on the GameServer resource via the SDK sidecar. All labels are cleared when the attack ends.

LabelValueWhen
flowtriq.com/under-attacktrue / falseSet to true on attack start, false on attack end
flowtriq.com/attack-familyudp_flood, syn_flood, tcp_flood, etc.Set on attack start, removed on attack end
flowtriq.com/attack-ppsPeak packets per second (integer)Set on attack start, removed on attack end

Use Cases

What you can build with this

Allocation filtering

Add a label selector to your GameServerAllocation so new players are never placed on a server that is actively under attack. The label propagates within seconds of detection.

Fleet autoscaling

Use a FleetAutoscaler list policy to count only healthy (non-attacked) servers. When servers get attacked and labeled, the autoscaler spins up replacements to maintain capacity.

Matchmaker steering

Query the Kubernetes API or Agones allocator for GameServers where flowtriq.com/under-attack != true. Move sessions away from attacked infrastructure without manual intervention.

Incident correlation

Every attack also opens an incident on the Flowtriq dashboard with full protocol breakdown, source IP analysis, and packet captures. The labels are the fast path; the dashboard is the investigation tool.

Example

Allocation with attack filtering

# Only allocate GameServers that are not under attack
apiVersion: allocation.agones.dev/v1
kind: GameServerAllocation
spec:
  required:
    matchLabels: {}
    matchExpressions:
      - key: flowtriq.com/under-attack
        operator: NotIn
        values: ["true"]

FAQ

Frequently Asked Questions

How does Flowtriq communicate with Agones?

The ftagent runs as a sidecar container alongside your game server. When an attack is detected, it calls the Agones SDK sidecar REST API at localhost:59358 to set labels on the GameServer resource. No cluster-wide RBAC or CRD access is needed.

What labels does Flowtriq set?

Three labels are applied on attack: flowtriq.com/under-attack (true/false), flowtriq.com/attack-family (e.g. udp_flood, syn_flood), and flowtriq.com/attack-pps (peak packets per second). All labels are cleared when the attack ends.

Can I use these labels for fleet scaling?

Yes. A FleetAutoscaler with a list policy can watch for GameServers where flowtriq.com/under-attack != true, effectively draining attacked servers and spinning up clean replacements. You can also use these labels in matchmaker queries to avoid placing new players on attacked servers.

Does this work with Agones Allocations?

Yes. You can add a label selector to your AllocationRequest so that allocated servers are never ones currently under attack. The label is set within seconds of detection, so the window between attack start and label propagation is minimal.

Do I need one ftagent per GameServer pod?

Yes. Each ftagent instance monitors the network interface inside its own pod and talks to the Agones sidecar running in the same pod. Deploy it as an additional container in your GameServer pod spec.

Which Agones versions are supported?

Any Agones version that exposes the SDK sidecar HTTP REST API (1.0+). The integration uses the standard /metadata/label endpoint, which has been stable since the initial Agones release.