Global Flood Thresholdsper-IP PPS/BPS limits — fires DDoS alert when
exceeded
Alert fires when a single remote IP sends more than these rates within one second.
PPS = packets/sec, BPS =
bytes/sec.
PPS Threshold
Current: --
BPS Threshold
Current: --
Local Prefixes
Per-Prefix Thresholdsblank = use global threshold
Prefix
PPS Threshold
BPS Threshold
Effective
Load settings to configure
EWMA Per-IP Spike Detectionfires when a single IP's rate spikes above its
personal baseline
Each IP builds an exponentially weighted moving average of its own
traffic. When the current rate is Z standard deviations above that average, an
anomaly is raised. Absolute minimums prevent alerts on trivially low-volume traffic spikes.
Z-Score Trigger σ
Current: --
Raise to reduce false positives (recommended ≥ 5). Default: 6.0
Min PPS Floor pps
Current: --
Skip EWMA spike check if per-IP PPS is below this. Default: 5 000
Min BPS Floor MB/s
Current: --
Skip EWMA spike check if per-IP throughput is below this value in
MB/s (megabytes/sec). Default: 50 MB/s ≈ 400 Mbps
Global Burst / BPS Spike Detectionfires on sudden global traffic surges
Compares current-second inbound PPS/BPS against a rolling 5-second average
and against the previous second. Both need absolute minimums to avoid noise during quiet →
busy transitions.
PPS Ratio Trigger ×avg
Current: --
Current PPS vs 5s rolling avg. Default: 8×
PPS Spike Trigger ×prev
Current: --
Current PPS vs previous second. Default: 5×
PPS Floor pps
Current: --
Minimum PPS before evaluating bursts. Default: 50 000
BPS Spike Floor MB/s
Current: --
Min throughput in MB/s for single-second BPS spike check. Default:
500 MB/s ≈ 4 Gbps
BPS Burst Floor GB/s
Current: --
Min throughput in GB/s for rolling-avg BPS burst check. Default: 1
GB/s ≈ 8 Gbps
Scan Detectionfan-out (host scan) and port scan per external
IP
Fan-out scan: one external IP reaching N unique local hosts per second.
Port scan: one external IP hitting N unique TCP service ports per second (ephemeral ports
excluded). Raise thresholds if CDN/monitoring probes trigger false positives.
Fan-Out Threshold unique dst IPs/s
Current: --
Alert when one src IP hits more than N unique local IPs/s.
Default: 150
Fan-Out Min PPS/IP pps per dst IP
Current: --
Skip fan-out if avg PPS per dst IP is below this (filters CDN
1-pkt probes). Default: 3
Port Scan Threshold unique ports/s
Current: --
Alert when one src IP probes more than N unique service ports/s
via TCP. Default: 100
Entropy AnalysisShannon entropy collapse on global dst port / dst
IP distribution
When almost all inbound traffic converges on one port or one local IP, the
Shannon entropy H (bits) drops sharply below its rolling baseline. Z < EntropyZThr and H
< MaxH triggers an alert. Requires EntropyMinSamples baseline windows before alerting
(cold-start guard). Only service ports <32768 trigger port entropy alerts.
Port Entropy Max H bits
Current: --
H below this = almost all traffic on few ports. Default: 3.0 (≤8
dominant ports)
IP Entropy Max H bits
Current: --
H below this = >50% traffic to one local IP. Default: 1.0 bit
Z-Score Threshold σ below baseline
Current: --
Negative — entropy must fall this many σ below baseline. Default:
-3.0
Min Inbound PPS pps
Current: --
Skip entropy analysis when global inbound PPS is below this.
Default: 5 000
Min Baseline Samples
Current: --
Warmup windows before alerting (1 sample ≈ 1s). Default: 30
Botnet / Coordinated Onset Detectionsynchronized new source IP burst signal
Fires when N+ brand-new source IPs appear within a single 1-second window
AND global inbound PPS exceeds the floor. The Max PPS/src guard is critical: real
botnets send very few packets per bot (1–20 pps each); legitimate CDN clients send much
more. Set Max PPS/src low to catch bots without alarming on CDN bursts.
New Src IP Threshold IPs/s
Current: --
Min new source IPs appearing in 1s to trigger. Default: 500
Min Global PPS pps
Current: --
Minimum global inbound PPS alongside the onset. Default: 100 000
Max PPS per New Src pps/src
Current: --
Skip if avg PPS per new source exceeds this (CDN clients send
>100 pps each). Default: 20
Local Network Prefixes
CIDRs owned by your network. Traffic to these
prefixes is classified as inbound; traffic from these prefixes is classified as
outbound. Changes apply immediately without restart.
Capacity Reference
1 Gbps
10,000
buf · 4 workers
10 Gbps
50,000
buf · 8 workers
40 Gbps
200,000
buf · 16 workers
100 Gbps
500,000
buf · 32 workers
Collector (UDP)
Raw UDP packet channel and parse worker
count.
The flow channel is automatically sized to buffer_size × 10.
Flow chan = buffer × 10
Goroutines parsing UDP
packets
Processor (Flow pipeline)
Parallel goroutines that enrich flows
(GeoIP)
and run anomaly detection. Each worker maintains its own ClickHouse batch.
⚠These settings require a container restart to take effect. Go channel
sizes cannot be changed at runtime. Changes are saved to config.yaml
immediately.
Incident Control
Correlation engine — grouped by victim /24 subnet, scored by severity &
confidence · auto-refresh every 5s
LIVE
Active Cases
0
currently tracked
Escalated
0
high severity
Avg Composite Score
—
across active cases
Peak Inbound
—
no cases
Attack Cases
ID
State
Type
Victim Subnet
Vectors
Peak PPS
Peak BPS
Events
Sources
Duration
Score
Actions
Mitigation Hub
BGP RTBH / FlowSpec actions — Phase 7 · auto-mitigate when composite score ≥ 80
· manual trigger available
BGP STUB
Active Mitigations
0
currently applied
RTBH Rules
0
blackhole routes
FlowSpec Rules
0
filter rules
Total Audit Events
0
logged actions
Manual Mitigationapply RTBH or FlowSpec to any prefix