Why ISPs Need Flow-Based Detection
ISPs cannot install agents on customer equipment. The traffic crosses your network through routers you control, heading to servers you do not. The only way to see all of it is through flow telemetry: NetFlow, sFlow, or IPFIX exported from your core and edge routers.
Flow-based detection samples traffic at the router level and exports metadata (source/destination IP, ports, protocol, byte/packet counts, timestamps) to a collector. Flowtriq ingests these flows, builds baselines per-prefix, and detects anomalies that indicate DDoS attacks targeting your customers.
Setting Up Flow Export
NetFlow v9 on Cisco IOS
ip flow-export version 9 ip flow-export destination 10.0.0.50 2055 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress ip flow egress
sFlow on Juniper
set protocols sflow collector 10.0.0.50 udp-port 6343 set protocols sflow interfaces ge-0/0/0 set protocols sflow sample-rate ingress 1024 set protocols sflow source-ip 10.0.0.1
IPFIX on MikroTik
/ip traffic-flow set enabled=yes interfaces=ether1 /ip traffic-flow target add dst-address=10.0.0.50 port=4739 version=10
Point all flow exports to your Flowtriq flow source. In the Flowtriq dashboard, go to Settings > Flow Sources and add your router IPs. Flows start appearing within seconds.
What Gets Detected
Flow-based detection at the ISP level catches attacks that per-server agents cannot see:
- Transit link saturation: Attacks that fill your upstream links before reaching any customer server
- Carpet bombing: Distributed attacks across entire customer subnets where no single IP gets enough traffic to trigger per-host detection
- Reflection attacks in transit: Amplification traffic crossing your network destined for customers who do not run agents
- Multi-target campaigns: Attackers shifting between multiple customer IPs in sequence
Flowtriq builds per-prefix baselines from the flow data. When traffic to customer prefix 203.0.113.0/24 normally averages 500 Mbps and suddenly spikes to 5 Gbps, the deviation triggers detection regardless of how the traffic is distributed across IPs within that prefix.
Automated BGP Mitigation
When Flowtriq detects an attack targeting a customer prefix, it can automatically:
- Push BGP FlowSpec rules to your edge routers to drop attack traffic matching specific criteria (protocol, source port, packet size)
- Announce RTBH routes for the target IP to your upstreams, dropping all traffic to that IP at the upstream edge
- Divert to scrubbing via BGP announcement to a cloud scrubbing provider (Cloudflare Magic Transit, etc.)
The mitigation type is configurable per-customer prefix. High-value customers get FlowSpec (surgical filtering). Lower-tier customers get RTBH if FlowSpec is not available on your upstream sessions.
Per-Subscriber Visibility
Map customer prefixes to customer names in the Flowtriq dashboard. When an attack targets 203.0.113.50, the incident shows "Attack on CustomerCo Web Server" instead of just an IP address. This makes incident communication faster and more accurate.
For ISPs offering DDoS protection as a service, set up per-customer workspaces. Each customer sees only their own prefixes, their own incidents, and their own traffic data. You maintain fleet-wide visibility across all customers.
FAQ
What sampling rate should I use?
For DDoS detection, 1:1000 to 1:4096 sampling is sufficient. Higher sampling gives more granular data but increases collector load. The NetFlow blind spots article covers sampling trade-offs in detail.
Can I combine flow-based and agent-based detection?
Yes, and this is the recommended approach. Flow data from routers provides network-wide visibility. ftagent on customer servers (where installed) provides per-second kernel-level detection. Flowtriq correlates both data sources.
How many flows per second can Flowtriq handle?
Flowtriq flow sources handle millions of flows per second. For ISPs with high-volume NetFlow export, multiple flow sources can be configured for load distribution.
Deploy ISP-scale DDoS detection. Point your router flow exports at Flowtriq and have network-wide visibility in minutes. Start your free 14-day trial.