The Static Threshold Trap
The simplest approach to DDoS detection is to set a fixed packets-per-second (PPS) threshold. If inbound PPS exceeds 100,000, fire an alert. It is easy to implement, easy to understand, and almost guaranteed to produce either false positives or false negatives depending on what number you pick.
The fundamental problem is that "normal" traffic is not a constant. A game server running a popular title might idle at 5,000 PPS during off-hours and spike to 80,000 PPS when a patch drops and every player reconnects simultaneously. An e-commerce site sees 3x traffic on Black Friday. A media company's CDN origin spikes when a story goes viral. Set your threshold too low and you get paged for every legitimate traffic event. Set it too high and real attacks slide under the radar.
Most teams respond to this problem by setting the threshold high enough to avoid false positives, which means they only detect the largest attacks. A 2x traffic anomaly that would have been an early warning of a slowly ramping attack goes unnoticed because the threshold is set at 5x.
The Math Behind Dynamic Baselines
Flowtriq replaces static thresholds with dynamic baselines built on a sliding window with p99 percentile calculation. The idea is conceptually simple: instead of comparing current traffic to a fixed number, compare it to what traffic looked like recently.
The agent maintains a rolling window of the last 300 PPS samples (one sample per second, covering approximately 5 minutes of traffic). Every 10 ticks (~10 seconds), it recalculates the 99th-percentile value from that window. The detection threshold is then set at a configurable multiplier of the p99 (default 3x).
threshold = p99(last 300 samples) * multiplier
Why p99 instead of a simple average? Averages are easily skewed by outliers and quiet periods. The p99 captures the upper boundary of normal traffic, which means the threshold reflects what your actual peak traffic looks like rather than an artificially smoothed midpoint. This makes the system more resistant to both false positives from legitimate spikes and false negatives from gradual ramp-ups.
- Window size (300 samples): Covers ~5 minutes of traffic history. Long enough to smooth out momentary spikes, short enough to adapt when traffic patterns genuinely change.
- Recalculation interval (every 10 ticks): Balances responsiveness with computational efficiency. The baseline updates roughly every 10 seconds.
- Default multiplier (3x): An anomaly fires when current PPS exceeds 3x the p99 value. Configurable per node to match your environment.
Because the window continuously slides forward, the baseline naturally adapts to gradual legitimate traffic increases. A slow ramp-up shifts the p99 upward over time and avoids triggering alerts. A sudden attack, however, will immediately exceed the threshold because the p99 still reflects the pre-attack traffic pattern.
Convergence Time: 5 Minutes to Useful
One concern with baseline systems is the cold-start problem: what happens when you first deploy the agent and there is no historical data? Flowtriq addresses this with a bootstrap phase. During the first 5 minutes after agent startup, the system collects samples to fill the 300-sample sliding window. During this phase, detection falls back to a conservative static threshold (based on the interface line rate) to provide coverage while the window populates.
After 5 minutes, the window is fully populated and the p99 baseline reflects the node's actual traffic pattern. The agent reports its baseline convergence status in the dashboard so you can see exactly when detection transitions from bootstrap mode to full dynamic baseline detection.
In practice, we find that 5 minutes of baseline learning is sufficient to avoid false positives during normal traffic patterns. The agent begins providing useful anomaly detection almost immediately after deployment.
Handling Scheduled Traffic Events
Dynamic baselines solve the general case, but some traffic events are both large and predictable. Game patch days, marketing campaigns, and product launches can produce traffic patterns that exceed even generous dynamic thresholds. Flowtriq provides two mechanisms for these situations:
- Maintenance windows: You can schedule windows during which alerting is suppressed. The baselines continue to learn during this period, so they adapt to the new traffic level. Once the window closes, the baselines have already incorporated the higher traffic, reducing the chance of false alerts.
- Sensitivity profiles: Each node can be assigned a sensitivity profile that adjusts the multiplier. A game server with known spiky traffic might use a 5x multiplier instead of the default 3x, while a database server with very predictable traffic might use 2x for earlier detection.
What We Track Beyond PPS
PPS is the most commonly cited metric for DDoS detection, but it tells an incomplete story. Flowtriq computes dynamic baselines for multiple metrics simultaneously:
- Packets per second (PPS): The classic volumetric indicator. Useful for detecting packet floods like SYN floods, UDP floods, and ICMP floods.
- Bytes per second (BPS): Critical for detecting amplification attacks where packet counts may not be extreme, but bandwidth consumption is. A memcached amplification attack sending 1400-byte packets might show moderate PPS but astronomical BPS.
- New connections per second: Derived from SYN packet rates. A SYN flood targeting connection tables will spike this metric even if overall PPS looks normal.
- Protocol ratio: The TCP/UDP/ICMP distribution. A shift from the normal ratio often signals attack traffic that a single-metric detector would miss.
Each metric has its own independent dynamic baseline. An alert fires when any single metric triggers, and the alert includes which metrics deviated and by how much. This gives you immediate context about the type of attack without requiring manual traffic analysis.
Practical result: Teams using Flowtriq's dynamic baselines report an average 94% reduction in false-positive alerts compared to their previous static-threshold systems, while catching attacks 40% smaller on average.
Dynamic baselines are available on all Flowtriq plans starting at $9.99/node/month per node. The sensitivity profiles and custom multipliers are configurable through the dashboard or the API. Start your free trial to see how baselines adapt to your specific traffic patterns.
Back to Blog