Rendered at 20:25:49 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
jacob_masse 3 days ago [-]
On March 27, Lorikeet Security was running a live cybersecurity training event with 240 participants. Mid-session, they took a multi-vector DDoS attack. NTP amplification at 39 Gbps across 2,140 reflectors hit simultaneously with a spoofed SYN flood at 890K SYN/s from 18,400 source IPs. Peak traffic was 48.3 Gbps and 1.1M packets per second.
I'm Jacob. I built Flowtriq, a real-time DDoS detection and auto-mitigation platform. We just published our first case study and I wanted to share what happened.
Flowtriq detected both vectors as a single correlated incident in 0.9 seconds. On-node mitigation rules fired automatically. BGP FlowSpec drop rules were pushed to the upstream transit provider. The full mitigation stack was active in under 11 seconds.
The attack ran for 38 minutes. Not one of the 240 participants disconnected. Their CEO said the Flowtriq alert hit Slack before he had even registered anything was wrong on the dashboard. After the incident, Lorikeet standardized Flowtriq across all of their event infrastructure as a required pre-flight component.
The linked case study has the full technical breakdown including PCAP analysis, reflector distribution, FlowSpec rule details, and the complete timeline.
Some background on why I built this: I discovered CVE-2024-45163 last year, a remote unauthenticated DoS in the Mirai botnet's C2 server (CVSS 9.1). That research gave me a deep look at how DDoS attacks work at the packet level and made it clear that most detection tooling is still relying on sampled NetFlow. Polled, aggregated, delayed. By the time your NOC gets an alert, the link is already saturated.
How Flowtriq works:
- Lightweight Python agent (ftagent) installs on each server, reads packets directly from the NIC
- Per-second detection with full packet inspection, no sampling
- Classifies 8 attack types (SYN flood, UDP flood, DNS amp, HTTP flood, ICMP, memcached, multi-vector) with confidence scoring
- Auto-mitigation chain: iptables/nftables, BGP FlowSpec, RTBH, cloud scrubbing (Cloudflare, OVH, Path.net)
- PCAP capture with pre-attack traffic for forensic analysis
- Alerts to Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks
$9.99/node/month. 7-day free trial, no credit card.
pip install ftagent
sudo ftagent --setup
This is my second time building in this space. I previously built an anti-DDoS platform (AttackEngine) that was acquired within a year. Flowtriq is the version I always wanted to build.
Happy to answer anything about the architecture, the Lorikeet incident, or the Mirai CVE research.
KomoD 2 days ago [-]
Is that really supposed to impress? Honestly, 48 Gbps isn't much when it comes to DDoS attacks, especially for an alleged amplification attack.
jacob_masse 19 hours ago [-]
More so about the tech behind it, time to detect, time to mitigate, and the approach that Flowtriq takes to profile attacks that other players in the market do not.
KomoD 10 hours ago [-]
It was mentioned in the title, that's the only reason I brought it up
> More so about the tech behind it, time to detect, time to mitigate
Well, it wasn't exactly a sophisticated attack, I would be very disappointed if it took any longer for any provider to detect tbh.
anakaine 2 days ago [-]
I found the write up informative. The volume doesnt need to be overly "impressive" to appreciate the speed at which it was squashed, and the method by which it was squashed.
The piece is obviously a tech bit aimed at giving flowtriq some props for marketing, but given that is was reasonably tech ical I still found it to be a good read as to how these things can work.
jacob_masse 19 hours ago [-]
Thank you!
faangguyindia 17 hours ago [-]
why would i use it over cloudflare?
jacob_masse 2 hours ago [-]
Fair question. Cloudflare is great if you're protecting web apps behind a reverse proxy. Flowtriq solves a different problem.
If you're running bare metal, hosting infrastructure, or game servers, you can't just point DNS at Cloudflare and call it a day. Your traffic isn't HTTP. You need something that sits on your network, watches raw traffic, and reacts in real time with BGP FlowSpec, RTBH, or cloud scrubbing. Even in this case study, our customer would have been fully exposed with Cloudflare as the attack was across L3/L4 vectors. That's not HTTP traffic you can stick behind Cloudflare's reverse proxy.
Flowtriq runs directly on your servers, detects attacks in under a second, and automatically deploys mitigation at the network level. Full PCAP evidence, instant alerts on Slack/Discord/PagerDuty.
TLDR: Cloudflare is a CDN that proxies your HTTP traffic. Flowtriq is a lightweight agent that lives on your infrastructure, does deep packet inspection on live traffic, classifies attack vectors, and runs automated mitigation runbooks with full analysis and alerting (among many other things). Different tools for different problems.
I'm Jacob. I built Flowtriq, a real-time DDoS detection and auto-mitigation platform. We just published our first case study and I wanted to share what happened.
Flowtriq detected both vectors as a single correlated incident in 0.9 seconds. On-node mitigation rules fired automatically. BGP FlowSpec drop rules were pushed to the upstream transit provider. The full mitigation stack was active in under 11 seconds.
The attack ran for 38 minutes. Not one of the 240 participants disconnected. Their CEO said the Flowtriq alert hit Slack before he had even registered anything was wrong on the dashboard. After the incident, Lorikeet standardized Flowtriq across all of their event infrastructure as a required pre-flight component.
The linked case study has the full technical breakdown including PCAP analysis, reflector distribution, FlowSpec rule details, and the complete timeline.
Some background on why I built this: I discovered CVE-2024-45163 last year, a remote unauthenticated DoS in the Mirai botnet's C2 server (CVSS 9.1). That research gave me a deep look at how DDoS attacks work at the packet level and made it clear that most detection tooling is still relying on sampled NetFlow. Polled, aggregated, delayed. By the time your NOC gets an alert, the link is already saturated.
How Flowtriq works:
- Lightweight Python agent (ftagent) installs on each server, reads packets directly from the NIC - Per-second detection with full packet inspection, no sampling - Classifies 8 attack types (SYN flood, UDP flood, DNS amp, HTTP flood, ICMP, memcached, multi-vector) with confidence scoring - Auto-mitigation chain: iptables/nftables, BGP FlowSpec, RTBH, cloud scrubbing (Cloudflare, OVH, Path.net) - PCAP capture with pre-attack traffic for forensic analysis - Alerts to Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks
$9.99/node/month. 7-day free trial, no credit card.
This is my second time building in this space. I previously built an anti-DDoS platform (AttackEngine) that was acquired within a year. Flowtriq is the version I always wanted to build.Happy to answer anything about the architecture, the Lorikeet incident, or the Mirai CVE research.
> More so about the tech behind it, time to detect, time to mitigate
Well, it wasn't exactly a sophisticated attack, I would be very disappointed if it took any longer for any provider to detect tbh.
The piece is obviously a tech bit aimed at giving flowtriq some props for marketing, but given that is was reasonably tech ical I still found it to be a good read as to how these things can work.
If you're running bare metal, hosting infrastructure, or game servers, you can't just point DNS at Cloudflare and call it a day. Your traffic isn't HTTP. You need something that sits on your network, watches raw traffic, and reacts in real time with BGP FlowSpec, RTBH, or cloud scrubbing. Even in this case study, our customer would have been fully exposed with Cloudflare as the attack was across L3/L4 vectors. That's not HTTP traffic you can stick behind Cloudflare's reverse proxy.
Flowtriq runs directly on your servers, detects attacks in under a second, and automatically deploys mitigation at the network level. Full PCAP evidence, instant alerts on Slack/Discord/PagerDuty.
TLDR: Cloudflare is a CDN that proxies your HTTP traffic. Flowtriq is a lightweight agent that lives on your infrastructure, does deep packet inspection on live traffic, classifies attack vectors, and runs automated mitigation runbooks with full analysis and alerting (among many other things). Different tools for different problems.