Skip to content

flowwler

A DDoS detection and mitigation daemon that ingests NetFlow v5/v9/IPFIX and sFlow v5 traffic data, detects attacks via configurable threshold escalation, and triggers BGP mitigations via an embedded GoBGP BGP server - no external daemon required.

flowwler is not a traffic analytics or network insight tool. It does not provide traffic visualisation, capacity planning, or historical flow analysis. For those use cases, run a dedicated tool such as Akvorado alongside flowwler - both consume the same NetFlow/sFlow data and are designed to complement each other.

Features

  • Dual-protocol ingestion - NetFlow v5/v9/IPFIX and sFlow v5 on independent UDP sockets
  • Sliding-window rate aggregation - configurable window depth with sampling rate scaling; duration-based normalization is intentionally omitted (routers reset byte/packet counters at each active-timeout export)
  • Asymmetric smoothing - fast attack detection (α=0.9) with stable withdrawal to avoid oscillation (α=0.2)
  • Per-group, per-victim escalation - Idle → Active → HoldDown → Idle state machine with configurable hold times and escalate-after timers; levels with no mitigation block fire notifications only (alert-only mode)
  • Three mitigation types - BGP blackhole (/32//128), subnet blackhole (auto-derives /24//48), FlowSpec discard/rate-limit with dynamic top-N source rule refresh
  • Subnet auto-discovery - per-group prefix population from IRR (AS-SET expansion via WHOIS) and NetBox IPAM; background refresh every 12 hours
  • Per-group BGP route attributes - set ASN (AS-PATH prepend), NO_EXPORT, and NO_ADVERTISE per group for downstream customer mitigations
  • Router discard detection - flows with no output interface are counted separately and expose mitigation effectiveness metrics
  • Notifications - webhook, Telegram, PagerDuty, Pushover, Alertmanager, MS Teams, Slack, and Jira; fired on every escalation state change with per-target health tracking
  • Hot-reload - SIGHUP re-parses config, reconciles BGP peers live, and immediately withdraws all active mitigations for removed groups; restart required only for local_asn/router_id changes
  • Prometheus metrics - per-router, per-group (inbound + outbound), per-victim gauges and counters
  • Persistent attack history - SQLite-backed storage of all attack sessions and state-transition events; queryable via REST API; configurable retention (default 90 days). Attacks (detection events) and mitigations (BGP actions) are distinct: an attack is always recorded; a mitigation is only triggered when the escalation level has a mitigation: block. Every mitigation links back to its attack via attack_id.
  • REST API - inspect and filter escalation state, router liveness, group subnets, prefix sources, notification target health, and active config; attack history; manually trigger/withdraw mitigations; API-triggered reload
  • Dual-stack - all listeners default to [::]

How it works

flowwler listens for NetFlow and sFlow datagrams, aggregates traffic per destination IP using a sliding window with asymmetric smoothing, and runs a per-victim state machine that escalates through configured levels when thresholds are exceeded. When a level triggers, it announces a BGP route - blackhole, subnet-blackhole, or FlowSpec - to the connected customer router via the embedded GoBGP server. No external BGP daemon or database required.

See How it works for a full description of the pipeline, escalation mechanics, FlowSpec source selection, router discard detection, and design rationale.

Requirements

  • A NetFlow v5/v9/IPFIX or sFlow v5 exporter (router, switch, or softflowd)
  • A customer/edge router that will accept blackhole and FlowSpec routes from flowwler, discard the traffic locally, and optionally propagate mitigation routes to upstream providers - GoBGP is embedded; no separate gobgpd process needed