Architecture: Network-Level vs. Server-Level

Arbor (now Netscout Arbor) is the incumbent standard for enterprise and service provider DDoS detection and mitigation. The platform consists of two primary components that operate at the network edge, well upstream of individual servers.

Arbor Sightline (formerly Peakflow) collects NetFlow, sFlow, or IPFIX data from routers and switches across your network. It builds traffic baselines, detects anomalies against those baselines, and provides network-wide visibility into traffic patterns. When it detects an attack, it can trigger mitigation actions including BGP-based traffic diversion to scrubbing infrastructure.

Arbor TMS (Threat Mitigation System) is the scrubbing component. When Sightline detects an attack and diverts traffic via BGP, TMS inspects the diverted traffic, filters out attack packets, and forwards clean traffic back to the network. TMS operates as a dedicated hardware appliance or virtual appliance positioned in the traffic path.

Flowtriq operates at a fundamentally different point in the infrastructure. Instead of analyzing flow data from network devices, it runs on each individual server and monitors the network interface directly. It sees every packet that arrives at the server, regardless of how it got there.

Internet Traffic
    |
    v
Border Routers (export NetFlow/sFlow to Sightline)
    |
    |-- [Attack detected] --> BGP diversion to TMS
    |                              |
    |                              v
    |                         TMS Scrubbing
    |                              |
    |                              v
    |<--- Clean traffic returned --|
    |
    v
Core / Distribution Switches
    |
    v
Server (Flowtriq agent)
    |-- Per-second PPS/BPS monitoring
    |-- 2-second attack detection
    |-- Attack classification + confidence scoring
    |-- PCAP capture on detection
    |-- Alerts: Discord, Slack, PagerDuty, OpsGenie, etc.
    |
    v
Application Stack

This architecture means Arbor and Flowtriq have complementary visibility. Arbor sees aggregate network flows across routers and switches. Flowtriq sees actual packets on each server. The granularity, detection speed, and data types are different, which is why running both provides coverage that neither achieves alone.

What Flowtriq Adds to an Arbor Deployment

Per-Server Granularity

Arbor Sightline analyzes flow data exported by routers. NetFlow and sFlow are sampled protocols — they capture a statistical sample of packets (typically 1 in 1,000 or 1 in 4,096) and report flow summaries. This sampling is necessary for scalability at the network edge but means Sightline's view is inherently statistical, not exact.

More significantly, flow data is aggregated at the router or switch level. Sightline sees traffic flowing to a subnet or a prefix, not to an individual server. If you have 50 servers behind a /24 prefix, Sightline sees the total traffic to that prefix. It does not break down how that traffic distributes across individual servers.

Flowtriq monitors the network interface on each server individually. You get exact PPS and BPS metrics for each server, per second. You can see that server-12 is receiving 40,000 PPS while server-13 next to it is receiving 2,000 PPS. This granularity is critical for understanding attack targeting, capacity planning, and incident response.

Detection Speed: 2 Seconds vs. Flow Intervals

Sightline's detection speed is bounded by flow export intervals. Routers typically export flow records at intervals of 30 seconds, 60 seconds, or 5 minutes, depending on configuration and vendor. Even with aggressive flow export settings, there is an inherent delay between when attack traffic starts and when Sightline has enough flow data to detect the anomaly. Detection times of 1-5 minutes are common in production Arbor deployments.

Flowtriq detects anomalies within a 2-second detection window. It processes packets in real time at the server's network interface with no sampling and no export interval delay. For short-duration attacks, pulse attacks, or attacks that ramp up gradually, Flowtriq detects them minutes before Sightline has enough data to flag an anomaly.

In DDoS detection, minutes matter. A 3-minute detection gap means 3 minutes of unmitigated attack traffic hitting your servers. Flowtriq's 2-second detection closes that gap at the server level while Arbor continues to provide network-wide visibility.

PCAP Forensics

Arbor works with flow data (NetFlow/sFlow/IPFIX), not raw packets. Flow records contain metadata about traffic flows (source IP, destination IP, ports, protocol, byte counts, packet counts) but do not contain actual packet payloads. When Arbor detects an attack, you get flow-level statistics but no packet-level evidence.

Flowtriq captures PCAP data automatically when it detects an incident. The capture includes full packet headers and configurable payload data. This gives you source IP lists, protocol details, payload analysis, and timing information that you can open in Wireshark or feed into your SIEM. For incident response, compliance, and upstream provider communication, PCAP data is often the single most valuable artifact.

Modern Alerting Channels

Arbor Sightline typically alerts through SNMP traps, syslog, email, and its own web console. Integrating these alerts into modern incident response workflows requires middleware — a syslog aggregator, a SIEM, or custom scripts to bridge to Slack or PagerDuty.

Flowtriq sends alerts natively to Discord, Slack, PagerDuty, OpsGenie, email, SMS, and custom webhooks. If your application team lives in Discord or your NOC uses PagerDuty, Flowtriq alerts arrive there directly with full incident context. No middleware, no custom integration work.

Cost: $9.99/Node vs. Six Figures

Arbor Sightline and TMS are enterprise products with enterprise pricing. A typical Arbor deployment — Sightline appliance plus one or more TMS units — runs well into six figures for hardware, licensing, and annual maintenance contracts. This pricing is appropriate for large service providers and enterprises that need network-wide flow analysis and scrubbing capacity.

Flowtriq is $9.99 per node per month ($7.99 on annual billing). A 100-server deployment costs $999/month or $799/month on annual billing. This is not a replacement for Arbor's network-level capabilities, but it adds per-server detection depth, PCAP forensics, and modern alerting at a cost that does not require a capital expenditure request.

Deploying Flowtriq Alongside Arbor

Flowtriq installs on each server in your Arbor-monitored infrastructure. It does not interact with Arbor's components, does not require access to your network devices, and does not modify traffic flows. The two systems operate independently and provide complementary data.

# Install the Flowtriq agent
pip install ftagent --break-system-packages

# Run the setup wizard
sudo ftagent --setup

Configure the agent for your environment:

# /etc/ftagent/config.yaml
api_key: "ft_your_api_key_here"
server: "https://flowtriq.com/api/v1"
interface: "eth0"

detection:
  pps_threshold: auto
  bps_threshold: auto
  sensitivity: medium
  detection_window: 2s

pcap:
  enabled: true
  max_size: 100MB
  capture_duration: 30s

tags:
  role: "web-server"
  datacenter: "dc-east-1"
  rack: "rack-14"
  arbor_managed: "true"

The arbor_managed: "true" tag is a useful organizational flag that lets you filter for servers in your Arbor-managed infrastructure from the Flowtriq dashboard.

For large deployments, use configuration management (Ansible, Puppet, Chef, or Salt) to deploy the agent across your fleet:

# Ansible example: deploy Flowtriq agent across all servers
# roles/flowtriq/tasks/main.yml
- name: Install Flowtriq agent
  pip:
    name: ftagent
    state: present

- name: Deploy Flowtriq configuration
  template:
    src: ftagent-config.yaml.j2
    dest: /etc/ftagent/config.yaml
    mode: '0600'

- name: Enable and start Flowtriq agent
  systemd:
    name: ftagent
    enabled: yes
    state: started

Add server-level depth to your Arbor deployment

Deploy Flowtriq on your servers for 2-second detection, PCAP forensics, and modern alerting. Complements Arbor's network-level flow analysis. $9.99/node/month with a 7-day free trial.

Start your free 7-day trial →

Complementary Alert Routing

One of the practical benefits of running Arbor and Flowtriq together is that you can route alerts to the right teams based on the type and source of the detection.

Arbor Alerts: Network Operations Center (NOC)

Arbor Sightline detections represent network-level events — large volumetric attacks, BGP anomalies, aggregate traffic shifts. These are best handled by your network operations team who have access to router configurations, BGP policies, and Arbor TMS controls. Route Arbor alerts to your NOC's existing SNMP/syslog pipeline, ITSM platform, or network operations Slack channel.

Flowtriq Alerts: Application/Security Team

Flowtriq detections represent server-level events — attacks that reached individual servers, application-layer anomalies, traffic patterns that affect specific services. These are best handled by your application team or security operations team who can take server-level actions (firewall rules, application configuration, service scaling). Route Flowtriq alerts to Discord, Slack, or PagerDuty channels monitored by these teams.

# Recommended alert routing

Arbor Sightline alerts:
  → NOC SNMP trap receiver
  → Network operations Slack channel (#noc-alerts)
  → ITSM platform (ServiceNow, Jira Service Management)

Flowtriq alerts:
  → Security operations Discord/Slack (#security-alerts)
  → PagerDuty for on-call application engineer
  → OpsGenie for critical incident escalation
  → Webhook to SIEM for correlation

This routing strategy means each team gets the alerts relevant to their scope. The NOC handles network-level events with network-level tools. The application/security team handles server-level events with server-level tools. Both teams have independent visibility without alert fatigue from events outside their scope.

Real-World Scenario: What Arbor Misses

Consider a realistic attack scenario against an enterprise with both Arbor and Flowtriq deployed.

  1. Phase 1: Volumetric distraction — The attacker launches a 20 Gbps UDP reflection flood targeting your public prefix. Arbor Sightline detects the volumetric anomaly within its flow export interval (typically 1-2 minutes), triggers BGP diversion, and TMS scrubs the attack traffic. NOC is alerted. This is exactly what Arbor is designed to handle, and it handles it well.
  2. Phase 2: Targeted application attack — Simultaneously, the attacker uses a low-rate, slow-POST HTTP attack against a specific web server. The traffic volume is 500 requests per second — well below Sightline's volumetric detection thresholds and below the sampling threshold of 1-in-1000 NetFlow. Sightline does not detect it because the traffic volume is too low to register as an anomaly in sampled flow data.
  3. Flowtriq detects Phase 2 — The Flowtriq agent on the targeted web server detects the abnormal connection pattern within 2 seconds. It classifies the attack as a slow-POST/application-layer attack, begins PCAP capture, and sends alerts to the security team's PagerDuty and Discord channels.
  4. Response — The security team reviews the Flowtriq incident, downloads the PCAP, identifies the source IP ranges, and configures application-level mitigation (request timeouts, connection limits, or WAF rules). The NOC handles the volumetric component through Arbor. Both teams work their respective incidents independently with the right tools and data.

Without Flowtriq, Phase 2 goes undetected. The volumetric distraction is mitigated successfully, but the application-layer attack continues silently. Users experience degraded performance or outages, and when the team investigates, there is no PCAP evidence, no detection timestamp, and no alert trail for the server-level event.

Arbor vs. Flowtriq: Strengths by Layer

Arbor excels at:

  • Network-wide traffic visibility across routers, switches, and peering points
  • Volumetric attack detection and BGP-based traffic diversion
  • Inline traffic scrubbing with TMS at multi-gigabit throughput
  • Historical traffic trending and capacity planning at the network level
  • Service provider and large enterprise environments with dedicated NOC teams

Flowtriq excels at:

  • Per-server, per-second detection granularity that flow data cannot provide
  • 2-second detection vs. flow-interval-dependent detection (minutes)
  • PCAP forensics — raw packet evidence that flow data does not capture
  • Application-layer and low-rate attack detection below Arbor's sampling thresholds
  • Modern alerting to Discord, Slack, PagerDuty without middleware
  • Rapid deployment ($9.99/node, pip install, minutes to production) vs. Arbor's hardware and licensing cycle

Together:

  • Network-level scrubbing (Arbor) plus server-level detection (Flowtriq)
  • Flow-based anomaly detection (Arbor) plus packet-based forensics (Flowtriq)
  • NOC-oriented alerting (Arbor) plus application-team-oriented alerting (Flowtriq)
  • Complete coverage from network edge to individual server

Arbor and Flowtriq are not competitors. They operate at different layers, see different data, and serve different teams. Running both gives you defense in depth that neither achieves alone.

Common Questions

Does Flowtriq replace Arbor?

No. Flowtriq does not provide network-level flow analysis, BGP-based traffic diversion, or inline traffic scrubbing. If you need those capabilities, you need Arbor (or an equivalent network-level platform). Flowtriq adds per-server detection depth, PCAP forensics, and modern alerting that complement Arbor's network-level view.

Does Flowtriq require access to our routers or Arbor appliances?

No. Flowtriq installs on individual servers and communicates outbound to Flowtriq's API. It does not need SNMP access to routers, NetFlow data feeds, or connectivity to your Arbor Sightline or TMS appliances. The two systems are completely independent.

Can Flowtriq trigger Arbor TMS scrubbing?

Not directly. Flowtriq does not currently integrate with Arbor's API for automated TMS activation. However, Flowtriq's webhook alerting can be used to trigger custom automation that interfaces with your Arbor deployment. Some customers use Flowtriq webhooks to trigger scripts that call Arbor's REST API to initiate mitigation when a server-level detection occurs.

How does pricing compare?

Arbor deployments typically involve six-figure capital expenditure for hardware plus annual maintenance and licensing. Flowtriq is $9.99/node/month with no hardware, no licensing, and no minimum commitment. A 100-node Flowtriq deployment costs less per month than a single year of Arbor maintenance. The products serve different purposes at different price points — Flowtriq is not a budget replacement for Arbor, it is an additional detection layer at an accessible price point.

Complete your enterprise DDoS stack

Add Flowtriq to your Arbor deployment for 2-second server-level detection, PCAP forensics, and modern multi-channel alerting. $9.99/node/month with a 7-day free trial.

Start your free 7-day trial →
Back to Blog

Related Articles

Integrations

How to Use AWS Shield with Flowtriq: layered DDoS defense

Deploy Flowtriq alongside AWS Shield for per-instance visibility, PCAP forensics, and real-time alerting on EC2.
Integrations

How to Use Cloudflare with Flowtriq: complete integration guide

Configure Flowtriq alongside Cloudflare for origin-level detection and automated WAF rule creation.
Technical

BGP Blackhole Routing: how RTBH works for DDoS mitigation

Understanding BGP-based traffic diversion and how it complements server-level detection.