Classification
Know the attack family,
not just the traffic spike.
Flowtriq classifies 8 DDoS attack families with confidence scoring, IP spoofing detection, and botnet identification, all within the same second as detection. Knowing it's a memcached amplification attack tells you who to call. Knowing PPS is high doesn't.
Attack Families
Every major DDoS family, classified
Flowtriq identifies attack families by analyzing protocol ratios, packet sizes, source IP diversity patterns, and TCP flags.
UDP Flood
High packet rate with dominant UDP traffic. Includes reflection variants (memcached, NTP, SSDP amplification).
SYN Flood
TCP connection requests (SYN packets) that never complete. Overwhelms the server's ability to accept new connections.
HTTP Flood
High connection count with web-traffic-shaped packets. Detected via connection tracking and port 80/443 dominance.
ICMP Flood
Dominant ICMP (ping) protocol ratio. High packet rate with uniform small packet sizes.
DNS Amplification
UDP traffic on port 53. Attackers send tiny DNS queries with faked source IPs, generating huge responses directed at you.
Multi-Vector Attack
Multiple attack families detected simultaneously. Flowtriq reports each vector separately with individual confidence scores.
ACK / RST Flood
High TCP ACK or RST packet rate with no corresponding connection request. Designed to bypass simple firewall rules.
Fragmentation Attack
Malformed or excessive IP fragments. Detected via fragment flag analysis and reassembly pressure indicators.
Classification Engine
Confidence scoring and spoofing detection
Every classification comes with a confidence score from 0–100. Scores above 85 are high-confidence; scores of 60–85 indicate probable classification with some ambiguity (common in multi-vector attacks).
IP spoofing detection uses TTL pattern analysis (TTL is a packet field that reveals how far traffic has traveled). In a real botnet, TTL values cluster around a few numbers because packets traverse similar network paths. When TTL values are unusually scattered, it is a strong indicator of faked source IPs.
Botnet detection triggers when unique source IP count exceeds 300 during an attack window, a threshold that avoids false positives on CDN-originated traffic while capturing coordinated attacks.
Typical confidence scores by attack family. Multi-vector scores are per-vector.
NODE nyc-edge-01
PEAK 47,821 PPS · 1.7 Gbps
─── Classification ──────────────
Family UDP Flood
Subtype memcached Amplification
Confidence 94%
─── Source Analysis ─────────────
Spoofing DETECTED (TTL entropy: 4.2)
Src IPs 3,241 distinct → botnet
Top ASN AS4134 · AS4837 · AS9808
─── Protocol Breakdown ──────────
UDP 98.4%
TCP 1.2%
ICMP 0.4%
_
FAQ
Common questions about classification
How accurate is the confidence score?
Confidence reflects how well the observed traffic profile matches the expected signature for that attack family. Scores above 85 are highly reliable in our testing. Scores below 65 indicate ambiguous traffic, often multi-vector attacks or unusual legitimate traffic patterns. You always see the raw confidence, never a binary "attack/not attack" verdict without context.
Can Flowtriq classify attacks without deep packet inspection?
Yes. Flowtriq uses kernel-level statistics: no deep packet inspection, no packet copies, no port mirroring required. This keeps overhead near zero and works on any standard Linux server without special hardware.
What if the attack is a type Flowtriq doesn't know?
Unknown attack patterns still trigger detection based on traffic threshold crossing. The classification engine will report "Unknown" with partial indicators (e.g., dominant protocol, packet size distribution) so you have useful forensic data even without a named classification. Threat pattern matching may still identify specific attack toolkits even when the network signature is unusual.
Does classification work for application-layer (L7) attacks?
HTTP flood detection uses connection count tracking and port distribution analysis, which provides application-layer visibility without deep packet inspection. For full application-layer analysis, the PCAP evidence Flowtriq captures is available for manual or automated analysis with tools like Wireshark or Zeek.
Related Features