Detection
Sub-second DDoS detection.
Not sub-minute.
Flowtriq reads packets per second (PPS) and bandwidth (BPS) from kernel-level network stats (/proc/net/dev) every second. The moment your traffic crosses the dynamic threshold, an incident opens and alerts fire in under a second. Traditional monitoring waits 60 seconds to even notice.
How It Works
Every second, your traffic is measured. Every crossing fires immediately.
The FTAgent runs on your Linux server and reads network interface statistics from kernel-level network stats (/proc/net/dev) once per second. This gives exact byte and packet counts for every interface, with zero overhead on your application.
Alongside packets and bandwidth, the agent reads protocol-level stats from the kernel (/proc/net/snmp), giving TCP, UDP, and ICMP breakdowns used in attack classification. Connection count is tracked via system tools for SYN flood detection.
When any metric crosses its dynamic threshold, the agent opens an incident locally, starts PCAP capture, fires all configured alert channels, and reports to the Flowtriq cloud, all within the same second.
| Sampling source | Kernel-level stats (/proc/net/dev, /proc/net/snmp) |
| Sampling interval | 1 second |
| Metrics collected | Packets, bandwidth, TCP/UDP/ICMP |
| Connection count | System tools (SYN flood detection) |
| Offline resilience | 2,000-event retry queue |
| Detection latency | < 1 second end-to-end |
09:44:16 PPS=1,204 BPS=42Mbps NORMAL
09:44:17 PPS=1,198 BPS=41Mbps NORMAL
09:44:18 PPS=8,409 BPS=290Mbps ELEVATED
09:44:19 PPS=47,821 BPS=1.7Gbps ⚠ THRESHOLD CROSSED
→ Threshold: 12,306 PPS (3× p99)
→ Incident opened · UUID: a3f7c2b1
→ PCAP started · ring buffer flushed
→ Classification · UDP Flood · 94%
→ Alerts fired · Discord · Slack · PD
Total elapsed: 0.71s
_
Detection Timeline
What happens in that first second
T+0.00s: Kernel stat read
FTAgent reads kernel-level network stats. Zero overhead on your application. The difference in bytes since the last sample is calculated instantly.
T+0.01s: Threshold comparison
Current traffic is compared against the dynamic baseline threshold (3x your 99th percentile). If exceeded, detection fires immediately, with no averaging, no dampening delay.
T+0.05s: Attack classification
Protocol breakdown (TCP/UDP/ICMP ratio), source IP analysis, and threat pattern matching run simultaneously. Attack family and confidence score produced.
T+0.06s: PCAP capture starts
The 500-packet pre-attack ring buffer is flushed to disk as the opening section of the incident PCAP. Live capture continues for up to 10,000 additional packets.
T+0.1-0.7s: Alerts fire
All configured channels (Discord, Slack, PagerDuty, email, SMS, webhook) receive the alert. Rich embeds include attack type, peak PPS, peak BPS, and a link to the incident.
Why It Matters
60 seconds is too late
Traditional monitoring (60s polling)
- First poll fires 0–60s after attack begins
- Alert reaches on-call 1–3 minutes in
- Users are already complaining
- Attack peak may be over before you know
- No pre-attack PCAP evidence
Flowtriq (1s polling)
- Detection within 1 second of threshold crossing
- Alert fires before most users notice
- PCAP evidence starts from pre-attack traffic
- Attack family classified at same time as alert
- 2,000-event queue survives temporary outages
FAQ
Common questions about detection
Does 1-second sampling add overhead to my server?
No. Reading kernel-level network stats is a lightweight operation. The data is already computed by the operating system. There is no additional packet inspection, no kernel module, and no firewall rule. CPU overhead is typically under 0.1% on any modern server.
What if my server is offline when an attack is detected?
The FTAgent maintains a 2,000-event retry queue on disk. Events that can't be delivered are retried with exponential backoff. Once connectivity is restored, all queued events are delivered in order so your incident timeline is complete.
Can I adjust the detection threshold manually?
Yes. The automatic threshold is 3x your 99th percentile of the rolling 5-minute baseline, but you can override it per-node via the Console or API. Manual thresholds take precedence and are respected until you clear them.
Does Flowtriq support IPv6 traffic?
Yes. The kernel stats report aggregate bytes and packets across all IP versions. The FTAgent measures total interface traffic, which inherently covers both IPv4 and IPv6. Protocol-level detection distinguishes TCP, UDP, and ICMP across both address families.
Related Features