Why static thresholds fail
and what we use instead

Back to Blog

The Static Threshold Trap

The simplest approach to DDoS detection is to set a fixed packets-per-second (PPS) threshold. If inbound PPS exceeds 100,000, fire an alert. It is easy to implement, easy to understand, and almost guaranteed to produce either false positives or false negatives depending on what number you pick.

The fundamental problem is that "normal" traffic is not a constant. A game server running a popular title might idle at 5,000 PPS during off-hours and spike to 80,000 PPS when a patch drops and every player reconnects simultaneously. An e-commerce site sees 3x traffic on Black Friday. A media company's CDN origin spikes when a story goes viral. Set your threshold too low and you get paged for every legitimate traffic event. Set it too high and real attacks slide under the radar.

Most teams respond to this problem by setting the threshold high enough to avoid false positives, which means they only detect the largest attacks. A 2x traffic anomaly that would have been an early warning of a slowly ramping attack goes unnoticed because the threshold is set at 5x.

The Math Behind Dynamic Baselines

Flowtriq replaces static thresholds with dynamic baselines built on exponentially weighted moving averages (EWMA). The idea is conceptually simple: instead of comparing current traffic to a fixed number, compare it to what traffic looked like recently.

An EWMA computes a smoothed average where recent observations carry more weight than older ones. The formula is:

EWMA(t) = alpha * x(t) + (1 - alpha) * EWMA(t-1)

Where x(t) is the current observation and alpha is a smoothing factor between 0 and 1. A higher alpha means the average responds more quickly to recent changes. A lower alpha produces a more stable baseline that is less sensitive to short spikes.

Flowtriq uses two EWMA windows simultaneously:

• Fast window (alpha = 0.3): Reacts quickly to traffic changes. This baseline adapts within minutes and is used to detect sudden deviations from the current traffic pattern.
• Slow window (alpha = 0.05): Represents the longer-term traffic norm. This baseline takes hours to shift significantly and provides a stable reference point for detecting sustained anomalies.

An anomaly is flagged when the current value exceeds both the fast baseline by a configurable multiplier (default 3x) and the slow baseline by a separate multiplier (default 5x). This dual-window approach means that a gradual, legitimate traffic increase will shift the fast baseline upward and avoid triggering alerts, while a sudden attack will exceed both baselines simultaneously.

Convergence Time: 5 Minutes to Useful

One concern with baseline systems is the cold-start problem: what happens when you first deploy the agent and there is no historical data? Flowtriq addresses this with a bootstrap phase. During the first 5 minutes after agent startup, the system collects samples to initialize the EWMA with a reasonable starting point. During this phase, detection falls back to a conservative static threshold (based on the interface line rate) to provide coverage while baselines converge.

After 5 minutes, the fast baseline is typically within 15% of the true traffic mean. After 30 minutes, the slow baseline has converged sufficiently to provide robust anomaly detection. The agent reports its baseline convergence status in the dashboard so you can see exactly when detection transitions from bootstrap mode to full dynamic baseline detection.

In practice, we find that 5 minutes of baseline learning is sufficient to avoid false positives during normal traffic patterns. The agent begins providing useful anomaly detection almost immediately after deployment.

Handling Scheduled Traffic Events

Dynamic baselines solve the general case, but some traffic events are both large and predictable. Game patch days, marketing campaigns, and product launches can produce traffic patterns that exceed even generous dynamic thresholds. Flowtriq provides two mechanisms for these situations:

• Maintenance windows: You can schedule windows during which alerting is suppressed. The baselines continue to learn during this period, so they adapt to the new traffic level. Once the window closes, the baselines have already incorporated the higher traffic, reducing the chance of false alerts.
• Sensitivity profiles: Each node can be assigned a sensitivity profile that adjusts the multipliers. A game server with known spiky traffic might use a 5x fast multiplier instead of the default 3x, while a database server with very predictable traffic might use 2x for earlier detection.

What We Track Beyond PPS

PPS is the most commonly cited metric for DDoS detection, but it tells an incomplete story. Flowtriq computes dynamic baselines for multiple metrics simultaneously:

• Packets per second (PPS): The classic volumetric indicator. Useful for detecting packet floods like SYN floods, UDP floods, and ICMP floods.
• Bytes per second (BPS): Critical for detecting amplification attacks where packet counts may not be extreme, but bandwidth consumption is. A memcached amplification attack sending 1400-byte packets might show moderate PPS but astronomical BPS.
• New connections per second: Derived from SYN packet rates. A SYN flood targeting connection tables will spike this metric even if overall PPS looks normal.
• Protocol ratio: The TCP/UDP/ICMP distribution. A shift from the normal ratio often signals attack traffic that a single-metric detector would miss.

Each metric has its own independent EWMA baselines. An alert fires when any single metric triggers, and the alert includes which metrics deviated and by how much. This gives you immediate context about the type of attack without requiring manual traffic analysis.

Dynamic baselines are available on all Flowtriq plans starting at $9.99/mo per node. The sensitivity profiles and custom multipliers are configurable through the dashboard or the API. Start your free trial to see how baselines adapt to your specific traffic patterns.

Back to Blog

Related Articles