On March 27, Lorikeet Security was running a live cybersecurity training event with 240 participants. Mid-session, they took a multi-vector DDoS attack. NTP amplification at 39 Gbps across 2,140 reflectors hit simultaneously with a spoofed SYN flood at 890K SYN/s from 18,400 source IPs. Peak traffic was 48.3 Gbps and 1.1M packets per second.
I'm Jacob. I built Flowtriq, a real-time DDoS detection and auto-mitigation platform. We just published our first case study and I wanted to share what happened.
Flowtriq detected both vectors as a single correlated incident in 0.9 seconds. On-node mitigation rules fired automatically. BGP FlowSpec drop rules were pushed to the upstream transit provider. The full mitigation stack was active in under 11 seconds.
The attack ran for 38 minutes. Not one of the 240 participants disconnected. Their CEO said the Flowtriq alert hit Slack before he had even registered anything was wrong on the dashboard. After the incident, Lorikeet standardized Flowtriq across all of their event infrastructure as a required pre-flight component.
The linked case study has the full technical breakdown including PCAP analysis, reflector distribution, FlowSpec rule details, and the complete timeline.
Some background on why I built this: I discovered CVE-2024-45163 last year, a remote unauthenticated DoS in the Mirai botnet's C2 server (CVSS 9.1). That research gave me a deep look at how DDoS attacks work at the packet level and made it clear that most detection tooling is still relying on sampled NetFlow. Polled, aggregated, delayed. By the time your NOC gets an alert, the link is already saturated.
How Flowtriq works:
- Lightweight Python agent (ftagent) installs on each server, reads packets directly from the NIC
- Per-second detection with full packet inspection, no sampling
- Classifies 8 attack types (SYN flood, UDP flood, DNS amp, HTTP flood, ICMP, memcached, multi-vector) with confidence scoring
- Auto-mitigation chain: iptables/nftables, BGP FlowSpec, RTBH, cloud scrubbing (Cloudflare, OVH, Path.net)
- PCAP capture with pre-attack traffic for forensic analysis
- Alerts to Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks
$9.99/node/month. 7-day free trial, no credit card.
pip install ftagent
sudo ftagent --setup
This is my second time building in this space. I previously built an anti-DDoS platform (AttackEngine) that was acquired within a year. Flowtriq is the version I always wanted to build.
Happy to answer anything about the architecture, the Lorikeet incident, or the Mirai CVE research.
I'm Jacob. I built Flowtriq, a real-time DDoS detection and auto-mitigation platform. We just published our first case study and I wanted to share what happened.
Flowtriq detected both vectors as a single correlated incident in 0.9 seconds. On-node mitigation rules fired automatically. BGP FlowSpec drop rules were pushed to the upstream transit provider. The full mitigation stack was active in under 11 seconds.
The attack ran for 38 minutes. Not one of the 240 participants disconnected. Their CEO said the Flowtriq alert hit Slack before he had even registered anything was wrong on the dashboard. After the incident, Lorikeet standardized Flowtriq across all of their event infrastructure as a required pre-flight component.
The linked case study has the full technical breakdown including PCAP analysis, reflector distribution, FlowSpec rule details, and the complete timeline.
Some background on why I built this: I discovered CVE-2024-45163 last year, a remote unauthenticated DoS in the Mirai botnet's C2 server (CVSS 9.1). That research gave me a deep look at how DDoS attacks work at the packet level and made it clear that most detection tooling is still relying on sampled NetFlow. Polled, aggregated, delayed. By the time your NOC gets an alert, the link is already saturated.
How Flowtriq works:
- Lightweight Python agent (ftagent) installs on each server, reads packets directly from the NIC - Per-second detection with full packet inspection, no sampling - Classifies 8 attack types (SYN flood, UDP flood, DNS amp, HTTP flood, ICMP, memcached, multi-vector) with confidence scoring - Auto-mitigation chain: iptables/nftables, BGP FlowSpec, RTBH, cloud scrubbing (Cloudflare, OVH, Path.net) - PCAP capture with pre-attack traffic for forensic analysis - Alerts to Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks
$9.99/node/month. 7-day free trial, no credit card.
This is my second time building in this space. I previously built an anti-DDoS platform (AttackEngine) that was acquired within a year. Flowtriq is the version I always wanted to build.Happy to answer anything about the architecture, the Lorikeet incident, or the Mirai CVE research.