Why do DDoS tools create false positives?

Most DDoS tools use static thresholds (e.g. "alert if traffic exceeds 1 Gbps") that do not adapt to normal traffic fluctuations. Flash sales, marketing campaigns, game launches, and normal business hours can easily exceed a fixed threshold. Tools with short learning periods may also baseline on unrepresentative traffic, leading to false alerts when real patterns emerge.

How do false positives affect network operations?

False positives cause alert fatigue, where operators stop responding to alarms because too many are false. When blocking is automated, false positives can take down legitimate services, block real customers, and create outages that are worse than the attacks they were meant to prevent. Over time, teams either disable automated responses entirely or pad thresholds so high that real attacks go undetected.

What is adaptive baselining in DDoS detection?

Adaptive baselining uses a rolling window of historical traffic data to define what "normal" looks like for each server at any given time. Instead of a fixed threshold, the detection system calculates dynamic thresholds based on recent traffic patterns. Flowtriq uses sliding-window p99 baselines with 300 samples to set per-server thresholds that adapt to each server individual traffic profile.

How does Flowtriq reduce DDoS false positives?

Flowtriq uses three mechanisms: (1) sliding-window p99 baselines with 300 samples that adapt to each server normal traffic, (2) a 90-second startup grace period so the agent does not alert during initial baseline collection, and (3) 10-tick hysteresis before resolving an attack to prevent flapping. Together, these reduce false positives compared to static threshold systems.

Pain #2 of 9

Every DDoS tool blocks your own users

Static thresholds, short learning windows, and aggressive auto-blocking cause DDoS tools to treat legitimate traffic as attacks. The result is self-inflicted downtime that is worse than the threats they claim to prevent.

Start Free Trial → ← All 9 Problems

"Sometimes it blocks legitimate traffic. If a legitimate user is trying to access the server continuously, the product suspects that this is a DoS traffic file." [Enterprise DDoS Vendor] - Security Consultant, PeerSpot

"When it comes to some false positives, we need to tweak the system." [Leading Detection Tool] - Network Engineer, G2

"Adding 100-200% to peak values to reduce false positives." [Enterprise DDoS Vendor] - Security Architect, Forum

Our DDoS tool blocked Stripe. During Black Friday. The CEO called me directly.

See the full comic

Root causes

Why DDoS false positives happen

False positives are not a tuning problem you can fix with better thresholds. They are a structural problem with how most detection systems define "normal."

Static thresholds

Most tools ask you to set a fixed threshold: "alert if traffic exceeds X Gbps." But normal traffic is never constant. A game server at 2pm looks nothing like the same server at 10pm. A flash sale on Black Friday looks like an attack to any static threshold set for normal Tuesday traffic. Operators end up padding thresholds so high that real attacks slip through, or leaving them tight enough that normal spikes trigger blocks.

Short learning windows

Some tools offer "learning mode" that watches traffic for a few hours and sets a baseline. The problem is obvious: if the learning window does not capture your peak hours, weekend patterns, monthly billing cycles, or seasonal events, the baseline is wrong from day one. A few hours of observation cannot represent weeks of real traffic variation.

Aggressive auto-blocking

When detection is coupled with automatic blocking, false positives become outages. A tool that auto-blocks traffic above a threshold will drop legitimate connections without anyone making a decision. Enterprise vendors often recommend starting in "detection only" mode for weeks before enabling blocking, which means you are unprotected during the learning period.

Threshold flapping

When traffic oscillates near a threshold, detection toggles rapidly between "attack" and "clear" states. Each toggle can trigger alerts, mitigation actions, and withdraw sequences. A busy server hovering near its threshold can generate dozens of false alerts per day, training operators to ignore all alerts entirely.

The consequence

The false positive spiral

False positives create a predictable spiral. First, the tool alerts too often. Operators start ignoring alerts because most of them are false. Then a real attack hits and nobody responds because the team has been conditioned to treat every alert as noise. Management disables automated responses to prevent more self-inflicted outages. Now the tool is in detection-only mode with thresholds so padded that only catastrophic attacks trigger anything. At that point, you are paying for a very expensive log viewer.

The worst version of this is when a false positive triggers upstream mitigation. An RTBH announcement triggered by a false positive will blackhole all traffic to the target IP, creating a total outage for that server. If automated FlowSpec rules fire on a false positive, they can block entire traffic classes that include legitimate customer connections.

"We turned off auto-mitigation after it blackholed a customer's IP during a traffic spike from their own marketing campaign. Now we only use it for alerting, which means someone has to be awake at 3am to respond manually." [ISP] - Network Operations Lead, Forum Discussion

The technical fix

How adaptive baselining works

The alternative to static thresholds is a system that continuously learns what normal looks like for each individual server and adjusts its thresholds automatically.

Static threshold vs. adaptive baseline

Static threshold

Fixed at 1 Gbps regardless of time or pattern

Typical traffic (9am)

300 Mbps

Typical traffic (9pm)

750 Mbps

Flash sale event

900 Mbps (legitimate)

p99 adaptive baseline

Adjusts per-server based on rolling 300-sample window

A static threshold set at 1 Gbps will miss a 600 Mbps attack during morning hours (when normal traffic is 300 Mbps) but false-positive on a legitimate 900 Mbps flash sale event in the evening. The threshold is simultaneously too high and too low.

An adaptive baseline tracks what each server's traffic actually looks like over a rolling window and sets the detection threshold relative to that pattern. A 600 Mbps spike during a 300 Mbps baseline period is suspicious. A 900 Mbps spike during a period where traffic has been steadily climbing to 750 Mbps is probably not.

How Flowtriq addresses this

Three mechanisms that reduce false positives

Sliding-window p99 baselines

Flowtriq maintains a rolling window of 300 traffic samples per server and calculates the p99 value as the baseline. The threshold adjusts continuously as traffic patterns change. Each server gets its own baseline, so a busy web server and a quiet DNS server are not held to the same standard.

90-second startup grace period

When the agent first starts or restarts, it spends 90 seconds collecting baseline data before activating detection. This prevents the agent from alerting on whatever traffic happens to be flowing during the first few seconds of operation, which is a common source of false positives with tools that try to detect immediately.

10-tick hysteresis

Once an attack is detected, Flowtriq requires 10 consecutive below-threshold samples before declaring the attack resolved. This prevents the "flapping" problem where traffic oscillating near the threshold generates dozens of alert/clear cycles. The attack stays active until traffic is clearly and consistently below threshold.

Where we're still improving

Building a feedback loop so the system learns from user-marked false positives and adjusts future detection sensitivity. Adding time-of-day baseline awareness for servers with predictable traffic patterns, like gaming servers with evening peaks or e-commerce sites with weekend surges.

Adaptive baselines sound boring until they save your job at 3 AM.

See the full comic

Frequently asked questions

DDoS false positives: FAQ

Why do DDoS tools block legitimate traffic?

Most DDoS tools use fixed thresholds that do not account for normal traffic variation. When legitimate traffic spikes, like a flash sale, marketing campaign, or peak gaming hours, exceed the threshold, the tool treats it as an attack. If auto-blocking is enabled, real customers get dropped.

Can Flowtriq guarantee zero false positives?

No detection system can guarantee zero false positives. Any system that claims otherwise is either not detecting real attacks or is defining false positives away. What Flowtriq does is structurally reduce them through adaptive baselines, startup grace periods, and hysteresis. When a false positive does occur, the dashboard makes it easy to review and mark, and we are building a feedback loop to learn from those events.

What is p99 baselining?

P99 means the 99th percentile. In Flowtriq's context, the p99 baseline is the traffic level that is higher than 99% of recent samples. This means only truly exceptional traffic, the top 1% of historical readings, triggers detection. Normal peaks and daily traffic variation stay well below the threshold because they are part of the historical distribution.

What happens if Flowtriq detects a false positive?

Flowtriq's 4-tier escalation system is configurable. You control which mitigation actions (if any) are automated. If a false positive is detected, you can mark it in the dashboard and review the PCAP evidence. The system does not automatically trigger upstream BGP actions unless you configure it to do so, putting you in control of the risk tradeoff.