Flowtriq DDoS Detection Agent — real-time L3/L4/L7 traffic monitoring, incident detection, PCAP capture, and auto-mitigation
Project description
ftagent
Flowtriq DDoS Detection Agent Real-time traffic monitoring, attack detection, PCAP capture, and auto-mitigation for Linux servers.
A valid Flowtriq account and API key are required. Start a free 7-day trial at flowtriq.com.
Requirements
- Linux (Ubuntu 20.04+, Debian 11+, CentOS 8+, or equivalent)
- Python 3.8+
- Root / sudo (required for raw packet capture)
- A Flowtriq account — sign up free
Install
pip (recommended)
pip install ftagent[full]
The [full] extra installs all dependencies including scapy for packet capture and psutil for system metrics.
From source
git clone https://github.com/flowtriq/ftagent.git
cd ftagent
pip install -e .[full]
Quick start
The fastest way to get running is the built-in setup wizard and service installer. No manual config editing needed.
1. Get your API key
Log in to your Flowtriq dashboard → Nodes → Add Node → copy the API key and Node UUID shown.
2. Run the setup wizard
sudo ftagent --setup
This creates /etc/ftagent/config.json with your API key, Node UUID, and sane defaults. It will prompt you for each value.
3. Install as a service
sudo ftagent --install-service
sudo systemctl enable --now ftagent
That's it. The agent will register your node, establish a baseline, and begin monitoring. Your node will appear in the Flowtriq dashboard within 30 seconds.
Manual config (alternative)
If you prefer to create the config manually:
sudo mkdir -p /etc/ftagent
sudo cp packaging/config.example.json /etc/ftagent/config.json
sudo nano /etc/ftagent/config.json
Set api_key and node_uuid to the values from your Flowtriq dashboard.
Verify connectivity
sudo ftagent --test
This sends a test heartbeat to confirm the agent can reach the Flowtriq API.
Check service status
sudo systemctl status ftagent
sudo journalctl -u ftagent -f
Configuration reference
Config file: /etc/ftagent/config.json
| Key | Default | Description |
|---|---|---|
api_key |
— | Required. Your Flowtriq node API key |
node_uuid |
— | Required. Node UUID from your Flowtriq dashboard → Nodes |
api_base |
https://flowtriq.com/api/v1 |
API endpoint |
interface |
"auto" |
Network interface to monitor (eth0, ens3, etc.) or "auto" |
pcap_enabled |
true |
Enable PCAP capture during incidents |
pcap_dir |
/var/lib/ftagent/pcaps |
Directory for PCAP files |
pcap_max_packets |
10000 |
Max packets per PCAP file |
pcap_max_seconds |
60 |
Max seconds per PCAP file |
pcap_retention_days |
7 |
Delete PCAPs older than N days |
log_file |
/var/log/ftagent.log |
Log file path |
log_level |
"INFO" |
Log level: DEBUG, INFO, WARNING, ERROR |
dynamic_threshold |
true |
Auto-adjust detection threshold from traffic baseline |
baseline_window_minutes |
60 |
Rolling window for baseline calculation |
threshold_multiplier |
3.0 |
Alert when PPS exceeds baseline × multiplier |
heartbeat_interval |
30 |
Seconds between heartbeat pings |
metrics_interval |
10 |
Seconds between metrics reports |
CLI flags
sudo ftagent [options]
--setup Interactive setup wizard (creates config)
--install-service Install systemd service unit
--config PATH Config file path (default: /etc/ftagent/config.json)
--test Test API connectivity and exit
--version Show version
How it works
- Baseline: The agent collects traffic metrics and establishes a normal PPS/BPS range for the node.
- L3/L4 Detection: Each metrics window is compared against the baseline. If PPS exceeds
baseline x multiplier, an incident is opened. - L7 Detection: When enabled, the agent tails your web server access log (nginx, Apache, Caddy, LiteSpeed, HAProxy) and detects HTTP floods via request rate spikes, IP concentration, endpoint targeting, and error rate analysis.
- Classification: Attack traffic is classified by protocol distribution, TCP flags, port patterns, packet size, and IP entropy.
- PCAP: A packet capture starts immediately when an incident opens, giving you forensic data for analysis.
- Reporting: The incident is reported to Flowtriq which dispatches alerts to your configured channels (Discord, Slack, Teams, PagerDuty, etc.).
- Mitigation: If you have mitigation rules configured, the agent executes approved firewall commands (iptables, Cloudflare WAF, etc.) immediately.
- Resolution: When traffic returns to baseline, the incident is closed, undo commands run, and the PCAP is uploaded.
Docs
Full documentation: flowtriq.com/docs
Support
- Docs: flowtriq.com/docs
- Issues: github.com/flowtriq/ftagent/issues
- Email: hello@flowtriq.com
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ftagent-1.8.2.tar.gz.
File metadata
- Download URL: ftagent-1.8.2.tar.gz
- Upload date:
- Size: 48.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8c71c0ae1d98a5dc6c7d2cd4f061c4171faaced4a50bd1f22df6a1fb8256f104
|
|
| MD5 |
2ad587a6582e4b384cc3ec125411045c
|
|
| BLAKE2b-256 |
c1f1c728178698a8654af573f14fba6a856e89a4bfe25c767ddce9fb6b8772cb
|
File details
Details for the file ftagent-1.8.2-py3-none-any.whl.
File metadata
- Download URL: ftagent-1.8.2-py3-none-any.whl
- Upload date:
- Size: 46.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
467cc8ba328164f53e6c1ce4156a54744b573336f2d203f31fb204d6eb342828
|
|
| MD5 |
2db6f7d81c1a0e69bbba0391dce2a6e7
|
|
| BLAKE2b-256 |
1a5b9c020fc243a0a1f4683dab9fe7c5a74a74ca6c23f017765b369cc2b7a1a0
|
