Use Case
DDoS Detection Directly
on Your Routers
Your router is the first device that sees attack traffic. By the time packets reach your servers, the damage is already done. Flowtriq runs directly on Linux-based routers — VyOS, MikroTik (CHR), OpenWrt, and any Linux routing platform — giving you 1-second DDoS detection at the exact point where traffic enters your network.
The Problem
Server-side detection is already too late
Most DDoS detection tools run on the target server. By the time they see the flood, attack traffic has already traversed your uplinks, saturated your switch ports, and is consuming bandwidth that your legitimate traffic needs. The detection fires, but the damage is done.
Enterprise network monitoring platforms like NetFlow collectors poll traffic samples every 30-60 seconds. That is 30-60 seconds of undetected flooding that can bring down an entire subnet. They also require expensive hardware probes, flow exporters, and dedicated collectors that small and mid-size operators cannot justify.
Your router already sees every packet entering and leaving your network. It is the ideal vantage point for detection. The problem is that traditional routers have no built-in DDoS detection, and bolting on external monitoring adds latency, cost, and complexity.
Attacker → Transit → Router → Switch → Server
↑ detected here
T+0.0s Attack starts
T+0.0s Uplinks saturated
T+0.0s Collateral damage begins
T+45s NetFlow collector polls
T+60s Alert threshold crossed
T+90s NOC begins investigation
60 seconds blind. Damage already done.
How Flowtriq Helps
Detect at the first hop, before packets go deeper
The FTAgent installs on any Linux-based router and reads kernel-level network counters from /proc/net/dev every single second. It sees the same traffic your router forwards, but now it is actively watching for anomalies. When packets-per-second or bandwidth crosses a dynamic threshold, the agent opens an incident, classifies the attack type, and fires alerts — all within the same second.
Because the agent runs on the router itself, detection happens at the earliest possible point in your network. Attack traffic is identified before it reaches your servers, switches, or application infrastructure. This gives you the maximum possible reaction time to apply mitigation upstream.
Combined with Flowtriq's auto-mitigation features, the router can apply iptables or nftables rules to drop attack traffic at the kernel level, trigger BGP FlowSpec rules to filter traffic at your transit provider, or activate upstream scrubbing — all automatically, all within seconds.
Attacker → Transit → Router + FTAgent
↑ detected & dropped here
T+0.0s Attack starts on eth0
T+0.8s FTAgent detects threshold breach
T+0.9s Incident opened · UDP Flood · 94%
T+1.0s nftables drop rule applied on router
T+1.1s BGP FlowSpec pushed to transit
T+1.2s Alerts → Slack · PagerDuty
Servers never saw the attack.
Zero collateral damage.
_
Key Features
Purpose-built for router deployments
Per-interface monitoring
The FTAgent monitors individual network interfaces on your router. Track WAN uplinks, customer-facing ports, peering links, and transit connections independently. Each interface gets its own baseline and threshold, so a busy peering link does not mask an attack on a smaller customer port.
Minimal resource footprint
The agent uses less than 0.1% CPU and under 30MB of memory. It reads counters from /proc/net/dev, a zero-cost kernel interface that requires no packet copying or deep inspection. Your router's forwarding performance is completely unaffected.
BGP FlowSpec & RTBH integration
When an attack is detected on the router, Flowtriq can automatically push BGP FlowSpec rules to your transit providers, filtering attack traffic before it even reaches your network edge. For volumetric floods exceeding your port capacity, RTBH blackholing drops traffic at the upstream router.
Kernel-level firewall rules
Apply iptables or nftables rules directly on the router to drop attack traffic at the kernel level. Rules are applied in dedicated chains that never conflict with your existing routing rules. Auto-withdraw removes them when the attack ends, so legitimate traffic is never blocked.
PCAP capture at the edge
Capture packets on the router before they are forwarded deeper into your network. The pre-attack ring buffer catches the first packets of the flood, giving you forensic evidence of the exact moment traffic patterns changed. Share PCAPs with upstream providers for abuse reports.
Multi-router, single dashboard
Monitor all your routers from one workspace. Whether you have 2 border routers or 50 PoP routers across multiple datacenters, every node reports to the same Flowtriq dashboard. Filter by location, interface, or attack type to get the view your NOC needs.
Compatibility
Runs on any Linux-based router
The FTAgent requires only a Linux kernel (3.10+) and Python 3.6+. If your router runs Linux under the hood, the agent can run on it. This covers the vast majority of software routers, virtual routers, and routing appliances used by small to mid-size operators.
For hardware routers that do not run Linux natively (Cisco IOS, Juniper Junos), you can deploy the FTAgent on a lightweight Linux VM or container that mirrors traffic from the router via port mirroring (SPAN) or NetFlow/sFlow export. The agent analyzes the mirrored traffic with the same 1-second granularity.
The agent installs with a single pip install command and runs as a systemd service. No kernel modules, no recompilation, no custom packages. It works alongside your existing routing daemon (BIRD, FRRouting, Quagga) without any conflicts.
• VyOS 1.3+ (Equuleus, Sagitta)
• MikroTik CHR (Cloud Hosted Router)
• OpenWrt 21.02+ (x86, ARM)
• pfSense / OPNsense (FreeBSD via Linux compat)
• Ubuntu / Debian / Rocky as router
Routing Daemons (coexists with)
• BIRD 2.x
• FRRouting (FRR) 7.x+
• Quagga
• GoBGP
Deployment Methods
• Direct install (pip + systemd)
• Docker container
• LXC on router host
• SPAN/mirror receiver VM
By the Numbers
Router-level detection changes everything
Before & After
Router-level vs. server-level detection
Detection on Servers Only
- Attack saturates uplinks before detection fires
- Collateral damage to all devices behind the router
- NetFlow/sFlow polled every 30-60 seconds
- No visibility into traffic that never reaches the server
- Mitigation rules applied too deep in the path
- Upstream providers notified manually, minutes later
Detection on the Router with Flowtriq
- Attack detected at the first hop in under 1 second
- Firewall rules drop traffic before it reaches servers
- Every packet counted every second, not sampled
- Full visibility into all ingress and egress traffic
- BGP FlowSpec pushes filters to transit automatically
- PCAP captured at the edge for upstream abuse reports
Getting Started
Deploy on your router in 5 minutes
The FTAgent installs the same way on a router as on any Linux server. If you can SSH in and run pip, you are ready.
Create a workspace and add a node
Sign up at flowtriq.com and create a node entry for your router. Name it by function or location (e.g., "border-01-ams" or "core-router-nyc") so your team can identify it at a glance in the dashboard.
Install the FTAgent on the router
SSH into your router and install the agent with pip. The agent auto-detects available network interfaces and starts monitoring immediately. On VyOS, use the built-in Python environment. On OpenWrt, install python3-pip from opkg first.
Select the interfaces to monitor
During setup, choose which interfaces to watch. Monitor your WAN uplinks for inbound floods, your customer-facing interfaces for per-tenant visibility, and your peering links for cross-connect anomalies. Each interface gets independent baselines.
Configure alerts and auto-mitigation
Connect your Slack, Discord, or PagerDuty channels. Enable auto-mitigation rules to apply nftables drops on the router and push BGP FlowSpec to your transit providers. Set escalation policies for different severity levels.
Baselines calibrate automatically
Within 5 minutes, the agent learns your router's normal traffic patterns and sets dynamic thresholds per interface. No manual tuning required. You can always override thresholds for interfaces with known traffic spikes (e.g., backup windows or game launches).
FAQ
Common questions about router deployments
Will it slow down my router's forwarding?
No. The FTAgent reads counters from /proc/net/dev, which is a read-only kernel interface that does not touch the forwarding path. It does not copy packets, does not use packet capture, and does not inject anything into the dataplane. Your router's forwarding performance is completely unaffected.
Does it work on MikroTik RouterOS?
Not on RouterOS directly, as RouterOS does not expose a standard Linux userspace. However, MikroTik's Cloud Hosted Router (CHR) runs on Linux-based hypervisors and supports the FTAgent. You can also deploy the agent on a lightweight Linux VM that receives mirrored traffic from your MikroTik device.
Can I run it alongside BIRD or FRRouting?
Yes. The FTAgent operates entirely independently of your routing daemon. It does not modify routing tables, BGP sessions, or OSPF adjacencies. For BGP FlowSpec mitigation, the agent communicates with your transit provider's API or ExaBGP sidecar, not with your production BGP daemon.
What about hardware routers like Cisco or Juniper?
The agent cannot install natively on IOS-XE, IOS-XR, or Junos. For these platforms, deploy the agent on a Linux VM or server that receives mirrored traffic via SPAN, ERSPAN, or NetFlow/sFlow export. You get the same 1-second detection granularity from the mirrored data.
Should I run it on the router and the servers?
Yes, for defense in depth. The router agent gives you first-hop detection and network-wide visibility. Server agents give you per-application granularity and host-level mitigation. Both report to the same dashboard, giving your NOC a complete picture from edge to endpoint.
Related Use Cases