flowwler

flowwler is a DDoS detection and mitigation daemon developed by level66.network. It ingests NetFlow v5/v9/IPFIX and sFlow v5 traffic data, detects attacks via configurable threshold escalation, and triggers BGP-based mitigations via an embedded BGP server — no external daemon required.

flowwler is not a traffic analytics or network insight tool. It does not provide traffic visualisation, capacity planning, or historical flow analysis. For those use cases, a dedicated tool such as Akvorado can run alongside flowwler — both consume the same NetFlow/sFlow data and are designed to complement each other.

For full documentation, visit flowwler.net.

Features

  • Dual-protocol ingestion — NetFlow v5/v9/IPFIX and sFlow v5 on independent UDP sockets
  • Three mitigation types — BGP blackhole (/32//128), subnet blackhole (auto-derives /24//48), FlowSpec discard/rate-limit with dynamic top-N source rule refresh
  • Multi-level escalationIdle → Active → HoldDown → Idle state machine per victim IP, with configurable hold times and per-level timers; levels without a mitigation block fire notifications only
  • Asymmetric smoothing — fast attack detection with stable withdrawal to avoid oscillation
  • Subnet auto-discovery — prefix population from IRR (AS-SET expansion via WHOIS) and NetBox IPAM, refreshed every 12 hours
  • Notifications — webhook, Telegram, PagerDuty, Pushover, Alertmanager, MS Teams, Slack, Jira, and Zammad; fired on every escalation state change
  • REST API — inspect state, router liveness, group subnets, attack history; manually trigger/withdraw mitigations
  • Prometheus metrics — per-router, per-group, and per-victim gauges and counters
  • Persistent attack history — SQLite-backed storage of all attack sessions, queryable via REST API
  • Web UI and TUI client — browser-based interface and terminal client included
  • Hot-reloadSIGHUP reloads config and reconciles BGP peers without restart
  • Dual-stack — full IPv4 and IPv6 support, including IPv6 FlowSpec

How It Works

flowwler listens for NetFlow and sFlow datagrams, aggregates traffic per destination IP using a sliding window, and runs a per-victim state machine that escalates through configured levels when thresholds are exceeded. When a level triggers, it announces a BGP route — blackhole, subnet-blackhole, or FlowSpec — to the connected router via the embedded GoBGP server.

Supported Platforms

Flow export and BGP peering configurations are available for:

  • Juniper JunOS
  • Cisco IOS-XR
  • Arista EOS
  • MikroTik RouterOS

Licensing & Demo

flowwler is available under a commercial perpetual license. A time-limited demo binary is available on request — fully functional, delivered as a .deb package.

Contact us to request a demo or discuss licensing: info@level66.network · +49 6132 7358820