Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode NEW
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All Use Cases → Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense Proxy Providers VPN Providers
Gaming & Entertainment
Game Server Hosting Game Studios Esports Platforms iGaming & Sportsbooks
Business & Emerging
SaaS Platforms E-Commerce Financial Services Compliance VoIP & Cloud Calling GPU & AI Cloud

Free Tool

MTU / MSS Calculator

Calculate the effective Maximum Segment Size (MSS) from your MTU, accounting for IP headers, TCP headers, and various network encapsulations.

Configuration

Additional encapsulation overhead

Overhead Breakdown

Understanding MTU and MSS

The Maximum Transmission Unit (MTU) is the largest packet size that can be sent over a network link without fragmentation. The Maximum Segment Size (MSS) is the largest amount of data in a single TCP segment — calculated as MTU minus IP header (20 bytes for IPv4, 40 bytes for IPv6) minus TCP header (20 bytes).

For a standard Ethernet connection with 1500-byte MTU: MSS = 1500 - 20 (IP) - 20 (TCP) = 1460 bytes. When encapsulation is added (VPN, VXLAN, GRE), the effective MTU decreases, reducing the MSS further.

Path MTU Discovery (PMTUD)

Path MTU Discovery is the process of determining the maximum packet size that can traverse a network path without fragmentation. It works by sending packets with the "Don't Fragment" (DF) bit set. If a router along the path has a smaller MTU, it sends back an ICMP "Fragmentation Needed" message.

You can test Path MTU on Linux with: ping -M do -s 1472 target.com (1472 + 28 bytes IP/ICMP header = 1500). Decrease the size until pings succeed to find the path MTU. On Windows, use: ping -f -l 1472 target.com.

Misconfigured MTU is a common cause of mysterious connection issues, especially with VPNs and tunnels. If TCP connections hang after the handshake or large packets get dropped, MTU mismatch is often the culprit. Flowtriq's PCAP capture feature can help diagnose these issues by capturing the actual packet sizes traversing your network.

Protect Your Infrastructure with Flowtriq

Deep packet analysis, real-time PPS monitoring, and PCAP capture for your network.

Start Your Free Trial

MTU Troubleshooting Guide

Common MTU issues and how to diagnose them.

Symptom: Small packets work, large transfers hang

Cause: Path MTU Discovery (PMTUD) is broken. An intermediate router is dropping ICMP "Fragmentation Needed" messages.
Fix: Run ping -M do -s 1472 [destination] and decrease size until it works. Set MTU to that value + 28 (IP+ICMP headers).

Symptom: VPN or tunnel performance is terrible

Cause: Tunnel overhead is not accounted for. GRE adds 24 bytes, IPsec adds 50-73 bytes, VXLAN adds 50 bytes.
Fix: Set the tunnel interface MTU to 1500 minus the encapsulation overhead. Use the calculator above to find the exact value.

Symptom: TCP connections stall after handshake

Cause: MSS clamping is not configured on your router/firewall. The TCP handshake uses small packets (fine), but data transfer uses full-size packets that get dropped.
Fix: Add MSS clamping: iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Quick Diagnostic Command

Run tracepath [destination] to discover the path MTU to any host. It probes each hop and reports the minimum MTU along the path.

Export your results

FAQ

Frequently Asked Questions

What MTU should I use for my network?

Standard Ethernet MTU is 1500 bytes. If using tunneling: GRE adds 24 bytes, IPsec tunnel adds 50–60 bytes, VXLAN adds 50 bytes — reduce inner MTU accordingly or enable jumbo frames (9000 bytes) on your core network. Mismatched MTU causes PMTUD black holes and intermittent connectivity issues.

How does MTU affect DDoS fragmentation attacks?

Attackers send packets deliberately sized to trigger fragmentation, overwhelming reassembly buffers. Detect via high rates of fragmented packets. For most server scenarios, iptables -A INPUT -f -j DROP drops all fragmented packets safely since legitimate modern traffic rarely fragments.

What is Path MTU Discovery (PMTUD) and why does it fail?

PMTUD lets TCP discover the maximum packet size for a path without fragmentation via ICMP Fragmentation Needed messages. PMTUD black holes occur when firewalls block ICMP, causing silently dropped oversized packets. Fix: allow ICMP type 3 code 4 through your firewall.