Attack postmortems.
Engineering deep-dives.

Mitigations

4-level auto-escalation: from local firewall to cloud scrubbing in seconds

Flowtriq's auto-escalation chain — iptables/nftables → BGP FlowSpec → RTBH → cloud scrubbing — expla...

14 min read →

Integrations

How to configure Path.net with a custom BGP adapter on Flowtriq

Step-by-step guide to setting up Path.net as a cloud scrubbing upstream in Flowtriq using a custom BGP adapter...

12 min read →

Integrations

How to configure Voxility with a custom BGP adapter on Flowtriq

Complete walkthrough for integrating Voxility's DDoS scrubbing with Flowtriq via a custom BGP adapter — BGP ...

12 min read →

Fundamentals

DDoS detection for ISPs: a practical deployment guide

Why ISPs need per-node detection instead of NetFlow sampling, how to deploy across edge routers, and how Flowt...

14 min read →

Fundamentals

How MSPs can offer DDoS protection as a managed service

The revenue opportunity, multi-tenant architecture, per-client escalation policies, and pricing strategies for...

12 min read →

Fundamentals

How to choose a cloud scrubbing provider (and integrate it with your detection)

Cloudflare Magic Transit, OVH VAC, Path.net, Voxility, and more compared on capacity, latency, pricing, and BG...

13 min read →

Fundamentals

DDoS protection for fintech: meeting PCI DSS, SOC 2, and DORA requirements

How to satisfy PCI DSS 4.0, SOC 2, and DORA audit requirements for DDoS protection with audit trails, PCAP evi...

13 min read →

Fundamentals

The complete guide to DDoS protection for game server hosting

Why game servers are the #1 DDoS target, how to tune per-game thresholds, and how auto-escalation keeps player...

15 min read →

Fundamentals

DDoS protection for ecommerce: protecting revenue during peak traffic

The cost of downtime during sales events, why dynamic baselines prevent false positives on traffic spikes, and...

12 min read →

Engineering

How to eliminate DDoS false positives without missing real attacks

Dynamic baselines, per-protocol classification, attack fingerprinting, and maintenance windows — the techniq...

11 min read →

Fundamentals

DDoS protection for SaaS platforms: uptime without the enterprise price tag

Multi-cloud detection, 1-second alerting, and auto-escalation for SaaS platforms that can't afford 8.7 hours o...

12 min read →

Comparisons

Best DDoS protection services in 2026: complete buyer's guide

Comprehensive overview of cloud scrubbers, hardware appliances, and detection tools — Cloudflare, Akamai, AW...

14 min read →

Comparisons

Best DDoS detection tools in 2026

In-depth comparison of seven detection tools — Flowtriq, FastNetMon, Kentik, Arbor Sightline, Wanguard, ntop...

12 min read →

Comparisons

Best cloud-based DDoS protection services in 2026

Detailed comparison of Cloudflare, Akamai Prolexic, AWS Shield, Google Cloud Armor, Azure DDoS, Imperva, Sucur...

13 min read →

Comparisons

Best hardware DDoS appliances in 2026

Buyer's guide to on-premise DDoS appliances: Arbor TMS, Radware DefensePro, Corero SmartWall, F5 BIG-IP, A10 T...

12 min read →

Post-Mortem

OVHcloud 2024: 840 million packets per second and the MikroTik problem

How compromised MikroTik routers were weaponized for packet-rate attacks peaking at 840 Mpps, why PPS matters ...

13 min read →

Post-Mortem

HTTP/2 Rapid Reset: the zero-day that hit 398M requests per second

CVE-2023-44487 exploited HTTP/2 stream multiplexing to generate the largest application-layer DDoS ever record...

13 min read →

Post-Mortem

AWS 2020: dissecting the 2.3 Tbps CLDAP reflection attack

A technical post-mortem of the February 2020 CLDAP reflection attack — 2.3 Tbps of amplified traffic via UDP...

12 min read →

Post-Mortem

GitHub 2018: inside the 1.35 Tbps memcached DDoS that changed everything

How a 15-byte UDP request to exposed memcached servers generated 1.35 Tbps of amplified traffic — no botnet ...

14 min read →

Post-Mortem

Dyn 2016: how 100,000 IoT devices took down half the internet

Three waves of DNS query floods from a Mirai botnet brought Dyn's managed DNS to its knees, taking Twitter, Ne...

15 min read →

Attack Analysis

The 10 largest DDoS attacks in history (and what we learned)

From the 300 Gbps Spamhaus attack to 5.6 Tbps Mirai variants — the biggest DDoS attacks ever recorded, what ...

13 min read →

Comparisons

Flowtriq vs Cloudflare DDoS Protection: detection depth compared

Cloudflare proxies and scrubs traffic at the edge. Flowtriq monitors at the server level with per-second PPS d...

12 min read →

Comparisons

Flowtriq vs Akamai Prolexic: enterprise scrubbing vs server-level detection

Prolexic is a cloud scrubbing center for enterprise DDoS mitigation. Flowtriq is per-node detection and forens...

11 min read →

Comparisons

Flowtriq vs Google Cloud Armor: GCP-native vs infrastructure-wide detection

Cloud Armor protects GCP workloads at the load balancer. Flowtriq runs on any Linux server anywhere. How to ch...

10 min read →

Comparisons

Flowtriq vs Azure DDoS Protection: cloud-native vs host-level detection

Azure DDoS Protection defends Azure resources at the platform level. Flowtriq gives you per-second detection, ...

10 min read →

Comparisons

Flowtriq vs Arbor/Netscout: flow-based detection vs per-server monitoring

Arbor Sightline uses NetFlow and sFlow for network-wide visibility. Flowtriq reads kernel counters per-node fo...

12 min read →

Comparisons

Flowtriq vs Radware DefensePro: inline appliance vs software detection

DefensePro is a hardware appliance for inline DDoS mitigation. Flowtriq is a lightweight agent for detection a...

11 min read →

Comparisons

Flowtriq vs Corero SmartWall: real-time scrubbing vs real-time detection

SmartWall mitigates DDoS inline at the network edge. Flowtriq detects and classifies attacks at the server lev...

10 min read →

Comparisons

Flowtriq vs F5 Silverline: managed scrubbing vs self-hosted detection

Silverline is F5's managed DDoS protection service. Flowtriq is a self-hosted detection agent. How they compar...

10 min read →

Comparisons

Flowtriq vs FastNetMon: DDoS detection compared

Flow-based sampling vs per-server monitoring — a deep comparison of detection methods, attack classification...

12 min read →

Comparisons

Flowtriq vs Kentik: network observability vs DDoS detection

A broad network observability platform versus a purpose-built DDoS detection tool — what each does best, whe...

11 min read →

Comparisons

Cloudflare DDoS alternatives: 7 options compared for 2026

Looking beyond Cloudflare for DDoS protection? We compare AWS Shield, Akamai Prolexic, Radware, Fastly, Imperv...

13 min read →

Comparisons

Akamai Prolexic alternatives: enterprise DDoS protection compared

Prolexic pricing too high or deployment too complex? Here are the best alternatives for enterprise-grade DDoS ...

12 min read →

Comparisons

AWS Shield alternatives: DDoS protection beyond AWS

AWS Shield Advanced costs $3,000/month before data fees. Here are alternatives that provide DDoS detection and...

11 min read →

Comparisons

Arbor/Netscout alternatives: network DDoS detection compared

Exploring alternatives to Arbor Sightline and TMS? We compare FastNetMon, Kentik, Flowtriq, Wanguard, and othe...

12 min read →

Comparisons

Radware alternatives: DDoS appliance and cloud options compared

Comparing alternatives to Radware DefensePro and Cloud DDoS Protection — from hardware appliances to cloud s...

11 min read →

Comparisons

Corero SmartWall alternatives: inline DDoS mitigation compared

Looking beyond Corero for real-time DDoS mitigation? We compare Arbor TMS, Radware DefensePro, A10 Thunder, an...

10 min read →

Comparisons

FastNetMon alternatives: open-source and commercial DDoS detection

Outgrowing FastNetMon Community or evaluating FastNetMon Advanced? Here are the best alternatives for flow-bas...

11 min read →

Integrations

Using Cloudflare with Flowtriq: complete integration guide

How to pair Cloudflare's edge scrubbing with Flowtriq's server-level detection for full-stack DDoS visibility ...

12 min read →

Integrations

Using AWS Shield with Flowtriq: detection beyond CloudWatch

AWS Shield protects at the VPC level. Flowtriq adds per-instance PPS detection, attack classification, and PCA...

11 min read →

Integrations

Using Arbor/Netscout with Flowtriq: flow + host detection

Arbor gives you network-wide flow visibility. Flowtriq gives you per-server detection and packet capture. Toge...

11 min read →

Integrations

Using Google Cloud Armor with Flowtriq: GCP DDoS detection guide

Cloud Armor handles L3/L4 at the load balancer. Flowtriq monitors your GCE instances directly. How to set up b...

10 min read →

Integrations

Using Azure DDoS Protection with Flowtriq: full-stack detection

Azure DDoS Protection works at the platform layer. Flowtriq adds host-level PPS monitoring, classification, an...

10 min read →

Fundamentals

Top 10 server misconfigurations that invite DDoS attacks

Open DNS resolvers, disabled SYN cookies, exposed Memcached — the most common server misconfigs that turn yo...

11 min read →

Fundamentals

10 security mistakes that get infrastructure engineers fired

From ignoring alerts to running production without detection — the mistakes that turn small incidents into c...

12 min read →

Attack Analysis

How to detect Mirai C2 traffic on bare metal

Mirai botnet traffic has distinct fingerprints in kernel counters and packet logs. Spot scanning, C2 command t...

9 min read →

Mitigations

SYN flood detection without a cloud WAF

You don't need Cloudflare or AWS Shield to detect SYN floods. The data you need is in /proc/net/snmp and your ...

8 min read →

Attack Analysis

Memcached amplification: detection, evidence & what to tell your upstream

The 50,000x amplification factor explained at the packet level, a ready-to-use NOC email template, and the exa...

10 min read →

Engineering

What 47,000 PPS looks like in /proc/net/snmp

A real walkthrough of kernel counters during a high-PPS attack — how to read them, what they mean, and how t...

7 min read →

Engineering

Setting up DDoS alerting for a 50-server game hosting cluster

Game servers have unique traffic profiles that make generic alerting useless. How to tune per-game thresholds ...

9 min read →

Fundamentals

Why your network slows after 10pm (it's usually not what you think)

Six causes of late-night slowdowns ranked by likelihood, with exact diagnostic commands to identify each one b...

7 min read →

Tools

DDoS analysis tools: what to run during and after an attack

A practical breakdown of which tools to use at each stage of a DDoS incident — from iftop during the attack ...

10 min read →

Comparisons

Flowtriq vs AWS Shield: comparing DDoS logs and detection data

An honest comparison of Shield Standard, Shield Advanced, and Flowtriq — including specific data fields, det...

11 min read →

Fundamentals

How to trace network anomalies on AWS and Azure

VPC Flow Logs and NSG Flow Logs have a 10-minute aggregation lag. How to combine cloud-level and host-level da...

9 min read →

Fundamentals

Packet loss explained: causes, detection & how to fix it

From ring buffer overflows to DDoS-induced drops — what packet loss is at the kernel level, how to measure i...

10 min read →

Fundamentals

Ultimate network troubleshooting guide for infrastructure engineers

A complete L2–L7 decision tree with copy-paste commands for diagnosing any network issue: physical errors, r...

14 min read →

Fundamentals

Flowtriq threat detection: common symptoms and what they mean

Eight network symptoms explained as attack type, cause, detection data, and mitigation — so you know exactly...

8 min read →

Fundamentals

The real cost of undiagnosed network issues

Most DDoS attacks never fully take a site down — they just degrade it. How sub-threshold attacks silently dr...

8 min read →

Fundamentals

Network performance myths debunked (that are costing you time)

Eight widely-held beliefs about DDoS and network performance that are simply wrong — explained with the kern...

9 min read →

Engineering

Flowtriq at scale: what we learned monitoring 1M+ endpoints

Attack patterns, false positive causes, time-of-day trends, and detection engine changes after analyzing milli...

10 min read →

Fundamentals

TCP, UDP, and BGP explained for infrastructure engineers

What infrastructure engineers need to know about each protocol in the context of DDoS: handshake mechanics, am...

12 min read →

Attack Analysis

DNS amplification attacks: detection, analysis & mitigation

Complete guide to DNS amplification DDoS attacks. Learn how they work at the protocol level, what the traffic ...

12 min read →

Fundamentals

How to detect a DDoS attack: signs, tools & response steps

A practical guide for infrastructure teams on identifying DDoS attacks early, choosing the right monitoring to...

10 min read →

Attack Analysis

Detecting memcached amplification before it hits 1Tbps

memcached amplification attacks can reach 50,000x amplification. Here's exactly what the traffic looks like at...

8 min read →

Fundamentals

DDoS protection for small business: affordable security that works

You don't need an enterprise budget to protect against DDoS attacks. Practical, budget-friendly strategies tha...

9 min read →

Engineering

Why static thresholds fail and what we use instead

Setting a fixed PPS threshold sounds simple until you have game servers that spike 10x on a new patch day. We ...

5 min read →

Mitigations

UDP flood mitigation: techniques that actually work

UDP floods are the most common volumetric DDoS attack. Here are proven mitigation strategies from iptables rul...

11 min read →

Forensics

What your PCAP can tell your ISP (and what it can't)

Most ISPs will ask for a PCAP when you request a null-route or BGP blackhole. Here's how to read what Flowtriq...

10 min read →

Mitigations

BGP blackhole routing: RTBH for DDoS mitigation

When a volumetric DDoS attack threatens your entire network, BGP blackhole routing stops the flood at the netw...

10 min read →

Integrations

PagerDuty escalation policies for DDoS incidents

Not every attack warrants waking up the on-call engineer. We walk through how to set up severity-based escalat...

6 min read →

Mitigations

iptables rules to survive a SYN flood while you wait for upstream mitigation

When you're under a SYN flood and upstream mitigation is still 20 minutes away, these iptables rules can buy y...

7 min read →

Attack Analysis

Multi-vector DDoS: why your single-protocol detection fails

Sophisticated attackers don't use one protocol. They rotate between UDP, TCP, and HTTP to evade simple thresho...

9 min read →

Fundamentals

DDoS attack types explained: a complete taxonomy

Every major DDoS attack type categorized and explained with detection signatures, packet-level characteristics...

14 min read →

Tools

Network traffic analysis tools for DDoS detection: 2025 guide

A hands-on comparison of the best traffic analysis tools including tcpdump, Wireshark, ntopng, Zeek, and purpo...

11 min read →

Fundamentals

DDoS incident response playbook: step-by-step procedures

A ready-to-use incident response playbook with escalation procedures, communication templates, and post-incide...

13 min read →

Comparisons

Cloud DDoS protection comparison: Cloudflare vs AWS Shield vs Akamai

Detailed comparison of cloud DDoS protection services including pricing, capabilities, protocol support, and g...

12 min read →

Fundamentals

Volumetric vs application-layer attacks: why they need different defenses

The two main DDoS categories require fundamentally different detection and mitigation. Understanding the diffe...

10 min read →