Back to Blog

The support interaction timeline of a real DDoS incident

To understand why ticket caps matter, consider what actually happens during a multi-vector DDoS attack against a hosting provider. This is a composite scenario based on common incident patterns.

  • T+0:00 - Attack begins Detection fires. Automated mitigation engages. The NOC sees the alert and confirms it is a real attack, not a traffic spike from a legitimate event.
  • T+0:05 - Support interaction #1 The attack is multi-vector: UDP amplification plus a SYN flood. The automated FlowSpec rules caught the UDP component but the SYN flood is getting through. The NOC opens a support ticket to ask about threshold tuning for the SYN component.
  • T+0:25 - Support interaction #2 The vendor suggests adjusting the SYN threshold. The NOC applies it and the SYN flood is mitigated, but now a legitimate customer's traffic is being caught by the new rule. A second support interaction is needed to review the false positive.
  • T+1:30 - Support interaction #3 The attack shifts vectors. The attacker rotates to DNS amplification. New rules are needed. The NOC contacts support again.
  • T+3:00 - Attack ends The incident is resolved. The NOC needs help reviewing what happened, tuning thresholds to prevent false positives going forward, and generating documentation for the customer's SLA credit request.
  • T+3:30 - Support interaction #4 Post-incident review and threshold adjustment to prevent repeat false positives.

That is four support interactions from a single incident. On a plan with 1 to 3 tickets per month, this single event exhausts or exceeds the monthly allocation. And the month is not over.

The vendors that cap support and why

Support ticket caps are not unique to one vendor. They appear across the DDoS detection market in different forms:

  • FastNetMon Advanced includes 1 ticket per month on their $115/month plan, 2 on their $220/month plan, and 3 on their $350/month plan, according to their published pricing. Additional tickets require a custom sales quote.
  • Andrisoft Wanguard includes Standard Support with no published ticket cap, but does not publish response time SLAs for standard or priority tiers. Their Enterprise Support tier (with a guaranteed sub-one-hour response) is a separate paid add-on at undisclosed pricing.

These are reasonable business decisions. Support is expensive. Engineers who can troubleshoot BGP FlowSpec rules and packet-level DDoS analysis are not cheap to employ. Capping tickets or tiering support is how vendors manage that cost.

The problem is that DDoS incidents do not respect the cap. Attacks are unpredictable, they generate multiple support needs per event, and they concentrate in bursts rather than spreading evenly across the month.

What "unlimited support" should actually mean

When evaluating vendors that advertise unlimited support, verify what that means in practice. The term is only useful if it includes:

  1. No monthly ticket cap. You can open as many support interactions as you need without overage charges or waiting for the next billing cycle.
  2. Published response time commitments. Unlimited tickets with no response time guarantee is just an unlimited queue. Look for specific SLAs.
  3. Incident support, not just configuration support. Some vendors treat active-attack support as a separate (paid) tier from general support. Ask explicitly.
  4. Multi-channel access. Email-only support with a "best effort" SLA is not useful during a 3 AM incident. Look for real-time channels your NOC already uses.
  5. No per-user gating. If only the account owner can open tickets but your NOC has 5 people, that is a bottleneck during an incident.

The math: capped support vs. attack frequency

NETSCOUT's threat intelligence data shows that 70% of DDoS attacks last fewer than 15 minutes. But attack frequency varies dramatically by industry:

  • Hosting providers and ISPs often see 5 to 20+ attack events per month across their customer base
  • Gaming infrastructure can see daily attacks, especially around competitive events and new releases
  • Financial services see fewer but more sophisticated attacks that generate more support interactions per event
  • E-commerce sees seasonal spikes that correlate with sales events and competitor activity

Even if 80% of attacks are handled fully by automation, the remaining 20% generate support interactions. For a hosting provider seeing 15 attacks per month, that is 3 events requiring human support. On a plan with 1 to 3 tickets, you are already at the limit without a single proactive configuration question.

The hidden cost of self-reliance

When support is capped, operators naturally conserve tickets. They try to solve problems themselves. They spend hours reading documentation instead of asking a question that support could answer in minutes. They make configuration changes they are not sure about because opening a ticket feels like a limited resource.

This behavior is rational given the constraint, but it has real costs:

  • Longer incident resolution. Troubleshooting alone takes longer than troubleshooting with the vendor who built the software.
  • Suboptimal configuration. Operators who avoid support tend to leave default thresholds in place rather than risk a ticket on tuning. Defaults are rarely optimal for any specific network.
  • Accumulated technical debt. Small configuration issues that would take 5 minutes with support turn into workarounds that persist for months.
  • Higher churn. Operators who feel unsupported look for alternatives, which is more expensive for the vendor than the support they saved.

Every Flowtriq plan includes unlimited support

No ticket caps. No paid support tiers. No per-user restrictions. Detection, mitigation, dashboard, PCAP forensics, and support from the people who built it. $9.99/node/month.

Start Free Trial →

What to negotiate before signing

If you are evaluating a vendor with capped or tiered support, negotiate these terms before you sign:

  • Incident exemption clause. Ask if support tickets opened during an active attack count against your monthly cap. Some vendors will agree to exempt incident-related tickets.
  • Rollover. Ask if unused tickets roll over to the next month. Most vendors do not offer this, but it is worth asking.
  • Overage pricing in writing. If additional tickets are available "by custom quote," get the price in the contract, not on a phone call during an emergency.
  • Escalation path. Know who you reach at each tier and what the escalation path looks like if your primary support contact cannot resolve the issue.

Frequently asked questions

Why does DDoS protection need unlimited support?
DDoS attacks generate unpredictable support needs. A single multi-vector attack can require threshold tuning, FlowSpec rule validation, false positive review, and post-incident analysis. Vendors that cap support at 1-3 tickets per month force customers to choose between using tickets for routine operations and saving them for emergencies.
How many support interactions does a typical DDoS incident generate?
A single DDoS incident can generate 2-5 support interactions: initial alert validation, mitigation tuning, false positive review during the attack, post-attack threshold adjustment, and incident documentation review. Complex multi-vector attacks that shift vectors mid-incident may require more.
Do any DDoS vendors limit support tickets per month?
Yes. FastNetMon Advanced includes 1 ticket per month on their 10 Gbps plan ($115/month), 2 on their 40 Gbps plan ($220/month), and 3 on their 100 Gbps plan ($350/month). Andrisoft Wanguard includes free Standard Support but charges extra for Priority and Enterprise tiers with guaranteed response times. These are publicly documented on each vendor's website.
What should I look for in DDoS vendor support?
Look for: no ticket caps, published response time SLAs on every plan (not just enterprise), support availability through channels your NOC uses, incident-specific support that is not billed separately, and no per-user gating on who can open tickets.
Is unlimited support just a marketing term?
It can be. Verify that "unlimited" means no monthly ticket cap, includes a published response time SLA, covers incident support (not just configuration), and allows any team member to open tickets. If "unlimited" comes with a 72-hour response time and email-only access, it is unlimited in name only.

The bottom line

DDoS protection is one of the few security products where you predictably need vendor support during the exact moment when things are going wrong. A cap of 1 to 3 tickets per month is a constraint designed for a product that generates predictable, low-frequency support needs. DDoS detection does not fit that pattern.

If your vendor caps support, you are making a bet that your attacks will be simple enough for automation to handle and infrequent enough that you will never exceed your allocation. For some networks, that bet pays off. For hosting providers, ISPs, gaming infrastructure, and anyone in a frequently-targeted industry, it is a bet against the odds.