Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 7 attack families with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications Hackathon Sponsorships
Research & Guides
Server Nerd Comic NEW Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All Use Cases → Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense Proxy Providers VPN Providers
Gaming & Entertainment
Game Server Hosting Game Studios Esports Platforms iGaming & Sportsbooks
Business & Emerging
SaaS Platforms E-Commerce Financial Services Compliance VoIP & Cloud Calling GPU & AI Cloud
Home/Integrations/pfSense
pfSense CE + Plus NetFlow v5 / v9 5 min setup

DDoS Detection for pfSense

Turn your pfSense firewall into a DDoS detection sensor. Export NetFlow to Flowtriq's agent for real-time attack classification, automated mitigation, and instant alerts across all your notification channels.

Generate your config → Start free trial

How It Works

pfSense
Firewall + softflowd
NetFlow Export
UDP v5/v9 flows
ftagent
Linux host (any server)
Flowtriq Dashboard
Detection + alerts + mitigation

Setup

Three steps to DDoS protection

1

Install ftagent

Install ftagent on any Linux server on your network. A VM, container, or bare-metal box all work. One command to install:

curl -sL https://get.flowtriq.com | sudo bash

2

Configure pfSense

Install the softflowd package via System > Package Manager. Then configure it under Services > softflowd: set the target to your ftagent host IP and port.

3

See attacks in your dashboard

Within minutes, traffic data appears in Flowtriq. Baselines build automatically. Attacks are detected, classified, and trigger your configured alert channels and mitigation policies.

Use the config generator for step-by-step commands →

Capabilities

What you get with this integration

Real-Time Attack Detection

Flowtriq analyzes NetFlow data from your pfSense to detect volumetric DDoS attacks in real time. Dynamic baselines learn your normal traffic patterns and alert on anomalies.

Attack Classification

Every detected attack is classified into one of 7+ families: SYN floods, UDP amplification, DNS reflection, NTP monlist, ICMP floods, GRE floods, and fragmentation attacks. Each classification includes protocol-level confidence scores.

Automated Mitigation

Configure 4-level auto-escalation: start with local firewall rules, escalate to BGP FlowSpec, then RTBH blackholes, then cloud scrubbing. All triggered automatically based on attack severity.

Multi-Channel Alerting

Get notified instantly via Discord, Slack, PagerDuty, OpsGenie, email, SMS, or webhooks. Alert messages include attack type, target IP, traffic volume, and recommended actions.

Incident History

Every attack is logged with full timeline, traffic charts, and classification details. Review past incidents, compare attack patterns, and track trends over time.

Traffic Analytics

Visualize your traffic patterns with per-protocol breakdown, top talkers, bandwidth utilization, and PPS charts. All built from the NetFlow data your pfSense is already exporting.

Expectations

NetFlow integration vs direct agent install

The pfSense integration gives you full DDoS detection with some tradeoffs compared to installing ftagent directly on a server.

What you get

  • Real-time volumetric DDoS detection
  • Full attack classification (7+ families)
  • Automated mitigation via BGP FlowSpec, RTBH, and cloud scrubbing
  • Multi-channel alerting (Discord, Slack, PagerDuty, and more)
  • Traffic analytics and incident history
  • Network-wide visibility from your gateway

What you trade off

  • No PCAP packet captures for forensic analysis
  • 15-60 seconds additional detection latency
  • No per-packet payload inspection
  • No on-host firewall rule deployment on pfSense itself

For sub-second detection and PCAP evidence, install ftagent directly on your critical servers in addition to the pfSense integration.

Protect your pfSense network today

Real-time DDoS detection and automated mitigation starting at $9.99/node/month. Free 14-day trial with no credit card required.

Start your free trial → Generate setup config → Talk to us →
Built by the team behind CVE-2024-45163 | Trusted by ISPs and hosting providers worldwide

FAQ

Frequently Asked Questions

Can I install Flowtriq directly on pfSense?

No. pfSense runs on FreeBSD, and Flowtriq's agent (ftagent) requires Linux. Install ftagent on any Linux machine on your network and point pfSense's NetFlow export to it. A small VM, container, or dedicated box all work.

What attacks can Flowtriq detect via NetFlow from pfSense?

Flowtriq detects all volumetric DDoS attack families via NetFlow: SYN floods, UDP amplification (DNS, NTP, memcached, CLDAP), ICMP floods, GRE floods, fragmentation attacks, and more. Attack classification uses flow metadata including protocol, ports, packet sizes, and traffic volume.

Does pfSense Plus support this integration?

Yes. Both pfSense Community Edition and pfSense Plus support the softflowd package. The setup process is identical for both. Flowtriq works with pfSense 2.7 and all current pfSense Plus releases.

What is the added latency for detection?

NetFlow export from pfSense adds 15 to 60 seconds of detection latency compared to direct packet capture. For volumetric DDoS attacks, which typically last minutes to hours, this is fast enough to trigger automated mitigation. Softflowd's export interval can be tuned to reduce latency at the cost of higher CPU usage.

Do I need a separate server for ftagent?

ftagent is lightweight and can run on a VM, container, or any existing Linux server on your network. It needs minimal resources: 1 CPU core, 512 MB RAM, and network reachability from your pfSense box. Many users run it on an existing monitoring server or a small VPS.

Can Flowtriq push firewall rules back to pfSense?

Not directly. Flowtriq's automated mitigation deploys iptables/nftables rules on the ftagent host, BGP FlowSpec or RTBH via your BGP speaker, or cloud scrubbing via API. For pfSense-level blocking, you can use Flowtriq's webhook alerts to trigger pfSense API calls via a custom script.