惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Cisco Blogs
Schneier on Security
Schneier on Security
T
Tor Project blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tenable Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Threat Research - Cisco Blogs
C
CERT Recently Published Vulnerability Notes
Security Latest
Security Latest
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
NISL@THU
NISL@THU
L
Lohrmann on Cybersecurity
Scott Helme
Scott Helme
Webroot Blog
Webroot Blog
Project Zero
Project Zero
Google Online Security Blog
Google Online Security Blog
The Last Watchdog
The Last Watchdog
Spread Privacy
Spread Privacy
Hacker News: Ask HN
Hacker News: Ask HN
PCI Perspectives
PCI Perspectives
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
W
WeLiveSecurity
Attack and Defense Labs
Attack and Defense Labs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
N
News | PayPal Newsroom
Help Net Security
Help Net Security
The Hacker News
The Hacker News
H
Heimdal Security Blog
O
OpenAI News
S
Security @ Cisco Blogs
N
News and Events Feed by Topic
Cyberwarzone
Cyberwarzone
Simon Willison's Weblog
Simon Willison's Weblog
G
GRAHAM CLULEY
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 叶小钗
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tailwind CSS Blog
大猫的无限游戏
大猫的无限游戏
A
Arctic Wolf
I
Intezer
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
Security Affairs
P
Proofpoint News Feed
S
Secure Thoughts
腾讯CDC
Google DeepMind News
Google DeepMind News
量子位
罗磊的独立博客

Hacker News: Show HN

PurrrrrFocus: Pomodoro Timer App - App Store Workflow Engine — Multi-Step Orchestration for Bun RapidPhoto: Pro Photo Editor App - App Store GitHub - DheerG/swarms: Achieve extraordinary results with claude code across a variety of tasks SPICE simulation → oscilloscope → verification with Claude Code — Lucas Gerads Show HN: VCoding – A 5 MB native Windows IDE with no dynamic dependencies Show HN: LLMs don't hallucinate because they're bad at math, it's the format GitHub - Agent-FM/agentfm-core: AgentFM is a peer-to-peer network that turns everyday computers into a decentralized AI supercomputer. AgentFM lets you run massive AI workloads directly across a global mesh of idle CPUs and GPUs. Show HN: Tracking Top US Science Olympiad Alumni over Last 25 Years GitHub - Potarix/agent-hub: One place to talk to all your agents Show HN: Runtime security for AI agents(injection,tool abuse, data exfiltration) GitHub - dubeyKartikay/lazyspotify: Terminal Spotify client for macOS and Linux GitHub - the-banana-tool/king-louie: Easy to use GUI Personal AI Assistant. Win/Linux/Mac. Show HN I made my vacation rental bookable by AI agents–no Airbnb, 0% commission GitHub - basteez/jsf-autoreload: maven plugin to enable hot reload on jsf projects uvm32/hosts/host-gdbstub at main · ringtailsoftware/uvm32 GitHub - labsai/EDDI: Config-driven engine that turns JSON into production-grade AI agents. Multi-agent orchestration, 12+ LLM providers, MCP/A2A protocols, RAG, persistent memory, and enterprise compliance (EU AI Act, GDPR, HIPAA). Built on Quarkus. GitHub - glitchnsec/fortyone-oss: AI Executive Assistant Platform Quickstart | Alien GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. GitHub - ocrbase-hq/ocrbase: 📄 PDF/IMG ->.MD/JSON Document OCR API for PaddleOCR and GLMOCR. Self-hostable. GitHub - impactjo/home-memory: MCP server that lets your AI assistant remember everything about your home. GitHub - Sets88/dbcls: DbCls is a powerful terminal database client that supports various databases GitHub - neptun2000/heor-agent-mcp GitHub - SeanFDZ/macmind: Single-layer transformer in HyperTalk for the classic Macintosh RollQuation: Math Puzzles - Apps on Google Play GitHub - dropbox/witchcraft Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis GitHub - opentalon/opentalon: OpenTalon is an open-source platform built from the ground up in Go as a robust alternative to OpenClaw LinkedIn™ 职位抓取工具 - Chrome 应用商店 GitHub - EdoardoBambini/Agent-Armor-Iaga: AI agents are getting tool access — shell, file system, databases, APIs, secrets. But **nobody is governing what they actually do with it**. Frameworks like LangChain, CrewAI, AutoGen, and Claude Code give agents the power to execute. Agent Armor gives you the power to control, audit, and approve every single action before it happens. HN Vibes — Week 15, Apr 7–13 2026 GitHub - chojs23/ec: Easy terminal-native 3-way git mergetool vim-like workflow GitHub - SethPyle376/hiraeth: Local AWS emulator focused on fast integration testing, with SQS support, SQLite-backed state, and a debug-friendly web UI. GitHub - JakOb-dotcom/cloud-sandbox-security-analysis: Technical analysis and Proof of Concept (PoC) regarding environment variable exfiltration in containerized cloud sandboxes via side-channel data leaks. Springboards - Flint Alpha Show HN: A simpler coding agent harness GitHub - audiodude/sudomake-friends GitHub - 256thFission/mini-mythos: OSS clone of Anthropic’s Mythos harness to locate C/C++ memory vulnerabilities Show HN: OpenParallax: OS-level privilege separation for AI agent execution Hacker News Sorted - Chrome 应用商店 Show HN: How to Install Docker on Ubuntu 24.04 LTS: Complete 2026 Guide GitHub - himanshudongre/smriti GitHub - sverrirsig/claude-control: macOS desktop dashboard for monitoring and managing multiple Claude Code sessions GitHub - ory/dockertest: Write better integration tests! Dockertest helps you boot up ephermal docker images for your Go tests with minimal work. Chiral - Chrome 应用商店 Show HN: Two Claudes collaborating through shared memory on a $100 mini-PC GitHub - pmichaillat/latex-cv: Minimalist LaTeX template for academic CVs GitHub - oguzbilgic/posse: A web UI for Anthropic Managed Agents. GitHub - sshiraz/depsly: Dependency risk analysis tool for npm packages ABI Add safari/agent-harness — Safari browser automation via safari-mcp by achiya-automation · Pull Request #212 · HKUDS/CLI-Anything GitHub - Halfblood-Prince/trustcheck: Verify PyPI package attestations and improve Python supply-chain security GitHub - oguzbilgic/kern-ai: Agents that do the work and show it. GitHub - bruits/satteri: High-performance Markdown and MDX processing for the JavaScript ecosystem GitHub - tylergibbs1/feedstock: High-performance web crawler and scraper for TypeScript, powered by Bun and Playwright GitHub - Grimm67123/grimmbot: The self-improving sandboxed and open-source AI agent. With persistent memory and scheduling. GitHub - whitevanillaskies/whitebloom: Local whiteboard that blooms. GitHub - hwdsl2/docker-whisper: Docker image for a self-hosted Whisper speech-to-text server with speaker diarization and OpenAI-compatible transcription and translation APIs. Powered by faster-whisper. Supports all Whisper models, NVIDIA GPU (CUDA) acceleration, JSON/SRT/VTT output, SSE streaming, offline mode, and multi-arch (amd64, arm64). GitHub - yisding/reviewwiggum GitHub - MarwanAlsoltany/serrors: Structured errors for Go: sentinel hierarchies, typed data, custom formatting, and slog integration. GitHub - soatok/age-php GitHub - Luthiraa/markitme GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits GitHub - tombedor/excalicharts GitHub - wh1le/excalidraw-edit: Open and edit .excalidraw files from the terminal. Offline, auto-saves to disk. MalExt Sentry - Malicious Extension Scanner - Chrome 应用商店 GitHub - syi0808/asciianimesvg: Generate animated ASCII art SVGs from text. CLI, Rust library, WASM, and web editor. GitHub - zaina-ml/ml_forge: A visual-based graph node editor for training computer vision models. GitHub - anakin87/llm-rl-environments-lil-course: 🌱 A little course on Reinforcement Learning Environments for evaluating and training Language Models GitHub - takaakit/superpowers-uml: Superpowers-UML modifies Superpowers to ensure a software development workflow in which AI agents design through UML modeling. AdriByte Studio - Sviluppo Web e Soluzioni Digitali GitHub - chouligi/angel-copilot: Your personalized Angel Investment Advisor Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 GitHub - agenteractai/lodmem: Level Of Detail Context Management for Agents GitHub - ostefani/subnetlens: A fast, concurrent network scanner with a TUI and plain-text CLI, built in Go. It discovers live hosts on your network, scans their open ports, resolves hostnames, and fingerprints operating systems—delivered. Cyber Pulse: Agentic Intel - Apps on Google Play Whisper API: Self-Hostable Speech to Text Transcription The Agent-Web Protocol Stack: A Research Thesis GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Show HN: Provepy – A Python decorator that proves your code using Lean and LLMs Show HN: Pardonned.com – A searchable database of US Pardons GitHub - patrickdappollonio/dux: Dux is a terminal UI that lets you run multiple AI coding agents side by side, each in its own git worktree, with full companion terminals, macros, commit generation, and a command palette that knows more tricks than you do. kMC Crystal Simulator Show HN: HyperFlow – A self-improving agent framework built on LangGraph GitHub - stef41/vibescore: 🎵 Grade your vibe-coded project. One command, instant letter grade across security, quality, dependencies, and testing. GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. imgur.com GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. GitHub - nowork-studio/toprank: Open-source Claude Code skills for SEO, SEM, Google Ads GitHub - tacomanator/sash: Lightweight macOS menu bar app for reliably cycling through windows of the current application. Appents | Social Media Management for Product-First Teams GitHub - pnhoang/youtube-spam-blocker: Automatically detects and hides spam messages in YouTube Live chat. Set rate limits, keyword filters, and block repeat offenders. GitHub - decisionnode/DecisionNode: CLI + Local MCP - A shared structured memory store across Claude Code, Cursor, Windsurf, Antigravity, and every MCP client. Semantically queryable. GitHub - AvaCodeSolutions/django-email-learning: An open source Django app for creating email-based learning platforms with IMAP integration and React frontend components. The $100K Gap in Kubernetes Security Tooling Function Calling Harness: From 6.75% to 100%
How Lorikeet Security Stopped a Live DDoS Attack Mid-Training, Without Dropping a Single Student
jacob_masse · 2026-04-26 · via Hacker News: Show HN

Home/ Blog/ Lorikeet Security Case Study

Customer Case Study

Case Study Apr 23, 2026 8 min read

A multi-vector DDoS attack hit Lorikeet Security's live cybersecurity training event 45 minutes in. Flowtriq detected it in 0.9 seconds, activated BGP FlowSpec and cloud scrubbing upstream simultaneously, and kept all 240 attendees connected for the remaining two hours.

Back to Blog

Lorikeet Security

Lorikeet Security

lorikeetsecurity.com

Orlando, FL 3 Flowtriq nodes 15,000+ trained 50+ events

Penetration testing, red team operations, and live hands-on cyber training events for enterprise security teams, government contractors, and university programs

0.9s

Time to detection

11s

Detection to full upstream mitigation

0

Student disconnections

48 Gbps

Peak attack volume

Flowtriq incident dashboard showing the Lorikeet Security multi-vector DDoS attack — Critical, Resolved, 48.3 Gbps peak, 1.1M PPS, 38m 3s duration

Flowtriq incident #158 — Critical / Resolved · 48.3 Gbps peak · 1.1M PPS · 20,540 source IPs · 94% AI confidence · Node: Lorikeet Security

About Lorikeet Security

Lorikeet Security is a cybersecurity firm based in Orlando, Florida specializing in penetration testing, red team operations, compliance consulting, and live cyber training events. Founded by Ryan Wilke in 2021, the company has grown from a single CTF training platform (originally launched as Parrot CTFs) into a full-spectrum offensive security and training operation, with 50+ events hosted and over 15,000 participants trained to date.

Lorikeet Security training events deliver live CTF competitions and hands-on labs across web exploitation, reverse engineering, cryptography, active directory, and forensics. Events range from 200-person corporate workshops to 1,000-person conference competitions, each running against dedicated isolated infrastructure with per-team VPN access and no shared resources. With a 99.9% uptime record across 50+ events, infrastructure reliability is a core part of Lorikeet's offering, and something their clients explicitly rely on.

The Challenge

Lorikeet's training event infrastructure runs on a cluster of dedicated bare-metal servers handling three distinct workloads: the challenge platform (scenarios, labs, scoring engine), a CTF server running intentionally vulnerable environments for participants, and a media relay node for the instructor's live session. During an event, all three nodes are under simultaneous load from participants' VPN connections; there is no graceful degradation. If any node saturates, the session stops.

Prior to deploying Flowtriq, Lorikeet had no automated DDoS detection in place. When connectivity degraded during an event, the response was entirely manual: identify the issue, determine the right rule, coordinate with the upstream provider. By the time that cycle completed, the damage was already done.

"We'd had events where connectivity would get weird and we'd spend ten minutes just figuring out if it was our stack or the network. With two hundred-plus people connected and a training schedule running, that ten minutes is real damage. You can't get that time back once a session goes sideways."

Ryan Wilke, CEO & Founder, Lorikeet Security

How the alternatives compare

Capability FastNetMon CE [1] Wanguard Arbor / NETSCOUT Flowtriq
Detection granularity Flow-based, threshold (30–60s) [1] Flow-based (30–60s) Flow-based (30s+) Per-second (<1s)
BGP FlowSpec Advanced only — not in CE [1] Add-on module Yes (enterprise tier) Included, all plans
Cloud scrubbing integration No [1] Manual config Vendor-specific Built-in, one-click
Auto upstream mitigation BGP blackhole (RTBH) via ExaBGP [1] Partial Yes Yes, or one-click
Multi-vector co-detection No [1] Sequential Yes Yes, single cycle
Upstream coordination Blackhole only — no scrubbing automation [1] Partial automation Often manual Fully automated
Time to deploy Hours–days (dedicated server + flow infra required) [2] Days (on-prem appliance) Days–weeks ~2 min/node

Publicly announced events are a known DDoS targeting surface.

Lorikeet's training events are listed on a public schedule with exact dates, times, and registration pages. That is all an attacker needs to time a volumetric hit for maximum impact: peak participant load, mid-session, when any outage has the most visible and irreversible cost. Live events, public product launches, conference streams, and scheduled maintenance windows all share this pattern. The attack window is predictable, and the cost of downtime is highest precisely when the event is running. Any operator hosting publicly announced events on dedicated infrastructure should treat the public schedule itself as part of the threat model.

Flowtriq was deployed across all three Lorikeet nodes in approximately 10 minutes during a pre-event infrastructure check the week before March 27. The ftagent installed on each node, spent roughly five minutes learning each node's baseline traffic profile, and had both the BGP FlowSpec adapter and cloud scrubbing integrations confirmed active before the event went live.

The Event: March 27, 2026

The event in question was a March 27, 2026 public live cybersecurity training event, a full-day hands-on session running from 09:00–17:00 EST with approximately 240 registered participants. The curriculum covered active network threat identification, live packet analysis, and escalating incident response scenarios, all running against Lorikeet's dedicated infrastructure. By 09:45, all three nodes were under typical event load: steady streams from participants' VPN connections, scoring engine calls, and the instructor livestream.

At 09:52:14, the attack began.

What Happened: Minute by Minute

!

T+0s / 09:52:14

Flowtriq detects anomaly

The ftagent on the training platform node detects a sharp PPS deviation: inbound packets jump from a 14,200 PPS baseline to 312,000 PPS in a single measurement window. Simultaneously, the CTF server node registers an inbound SYN rate spike. Both anomalies are flagged within the same 0.9-second detection cycle.

S

T+3s / 09:52:17

Slack alert fires

Flowtriq pushes an incident alert to Lorikeet's #infra-alerts Slack channel. The notification includes attack classification (multi-vector: NTP amplification + SYN flood), both affected nodes, current PPS readings, source IP count, and a direct link to the live incident view in the Flowtriq dashboard. The on-call engineer sees the alert on their second monitor, already open during the event.

M

T+8s / 09:52:22

Auto-mitigation fires on-node

Flowtriq's auto-mitigation rules (pre-configured by Lorikeet to drop traffic matching the NTP amplification signature: source port 123, packet size >400 bytes, high volume, and SYN flood pattern) are pushed to iptables on both nodes. Inbound packet processing load drops immediately. The attack traffic is still arriving at the network interface but is dropped at the kernel level before reaching application processes.

T+11s / 09:52:25

BGP FlowSpec + cloud scrubbing activated

Lorikeet's on-call engineer activates upstream mitigation with one click. Flowtriq simultaneously pushes a BGP FlowSpec rule (match source-port 123, action discard) to their upstream transit provider's edge routers and activates a cloud scrubbing integration, routing volumetric traffic through an additional upstream scrubbing layer. The unified approach handles attack traffic at two distinct upstream points before it reaches Lorikeet's network. Bandwidth consumption on their uplink drops from 48 Gbps back to baseline within seconds.

T+19s / 09:52:33

Second FlowSpec rule for SYN component

The SYN flood component of the attack, sourced from a separate botnet subnet, continues briefly after the NTP amplification is scrubbed upstream. A second FlowSpec rule targeting the SYN flood's dominant source prefix is pushed. Within 4 seconds, the SYN rate on the CTF server drops from 890,000 SYN/s to under 200 SYN/s, within normal range for event traffic.

T+38min / 10:30:09

Attack subsides, FlowSpec rules withdrawn

After 38 minutes of sustained attack traffic against the upstream null-route, the botnet abandons the campaign. The FlowSpec rules are withdrawn via Flowtriq. All three nodes return to clean baseline traffic. The PCAP capture taken during the incident (automatically triggered by Flowtriq at detection) is available for download in the dashboard. The training session has been running continuously throughout.

Flowtriq attack timeline showing detection at 13:52:14, peak traffic at 1.1M PPS / 48.3 Gbps, and resolution at 14:30:17

Flowtriq attack timeline and details panel · Detection 13:52:14 → peak 1.1M PPS / 48.3 Gbps → resolved 14:30:17 UTC · IP spoofing and botnet both confirmed

From the perspective of the 240 participants in the event, nothing happened. No latency spike was visible in the training platform. The instructor's stream did not buffer. The CTF scoring engine did not hiccup. The only indication that anything had occurred was the Slack alert thread, which the infrastructure engineer had been monitoring silently in the background.

Attack Technical Breakdown

The post-incident PCAP analysis confirmed a coordinated multi-vector attack with two distinct components, likely launched from separate hired botnet infrastructure.

Vector 1: NTP Amplification

ProtocolUDP / NTP

Source port123

Avg packet size468 bytes

Peak inbound39 Gbps

Peak PPS1.06M PPS

Unique source IPs2,140

Top source countriesCN, US, KR, RU, BR

Vector 2: SYN Flood

ProtocolTCP SYN

Target port443, 8443

Avg packet size60 bytes

Peak inbound9 Gbps

Peak SYN/s890K SYN/s

Unique source IPs18,400

Spoofing detectedYes

Flowtriq forensic analysis panel: source IP entropy 0.87, avg packet length 392 bytes, packet length distribution and TTL distribution charts

Forensic analysis · Source IP entropy 0.87 · Avg packet size 392 bytes · Packet length distribution: 60B (SYN), 468B (NTP) · 4 unique TTLs confirming multi-origin reflector pool

Flowtriq IOC matches: NTP_MON_GETLIST 92%, NTP Monlist Request 93%, TCP SYN-only Flood 86%, AS4134 62%, AS4837 58%

5 IOC pattern matches · NTP monlist abuse (abuse.ch, 93%) · SYN-only flood (86%) · China Telecom and CNCGROUP flagged as DDoS-source ASNs

Why multi-vector attacks are harder to stop without tooling: The NTP amplification and SYN flood components required two distinct mitigation responses: a source-port-based FlowSpec rule for the amplification traffic and a source-prefix rule for the spoofed SYN traffic. Without per-second classification identifying both vectors simultaneously, a manual response would likely have addressed one while the other continued to saturate the uplink.

Why the Attack Did Not Take Down the Event

There are three reasons the infrastructure stayed up, and they are worth separating clearly.

Speed of detection. The 0.9-second detection window means Flowtriq identified the attack before it reached peak volume. NTP amplification attacks typically ramp to maximum throughput over 5–15 seconds as reflected packets begin returning from the amplifiers. Catching the attack in the ramp phase, before the uplink saturated, gave the mitigation rules time to take effect before bandwidth was exhausted.

On-node mitigation as a first line. The automatic iptables rules pushed by Flowtriq at T+8s protected application processes even before the upstream BGP rules were in place. The nodes continued accepting legitimate traffic from participants' VPN addresses (those IPs were not in the attack source ranges and passed through cleanly) while all other inbound traffic matching the attack signature was dropped at the kernel level.

Unified upstream mitigation, not just BGP. On-node iptables rules protect the server's CPU and application layer, but they do not recover saturated uplink bandwidth; traffic still has to traverse the ISP's network before being dropped. Flowtriq moved the drop point upstream in two ways simultaneously: BGP FlowSpec rules pushed to the transit provider's edge, and a cloud scrubbing integration routing traffic through an additional upstream layer. The combination meant attack traffic was being discarded at multiple points before it could reach Lorikeet's uplink at all.

Industry context: why manual response is not fast enough

Security operations research puts manual DDoS response workflows at a minimum of 15–30 minutes under best-case conditions: alert triage, vector classification, strategy selection, and upstream provider coordination. NETSCOUT's 2024 Threat Intelligence Report found that 70% of DDoS attacks last fewer than 15 minutes. This creates a structural gap: most attacks resolve on their own or cause their maximum damage before a manual response process can push an upstream rule. Flowtriq completed the same detection-to-upstream cycle in 11 seconds.

Where the attack traffic was stopped

Attacker / botnet infrastructure NTP amplification via 2,140 open reflectors + spoofed SYN flood from 18,400 source IPs, totalling 48 Gbps combined

48 Gbps attack

↓  attack traffic routed upstream first

Cloud scrubbing layer Flowtriq activates cloud scrubbing integration — volumetric traffic filtered before reaching the transit provider

scrubbed

↓  residual traffic continues

Transit provider edge: BGP FlowSpec FlowSpec rules pushed to ISP routers drop matching attack traffic before it reaches Lorikeet's uplink

FlowSpec active

↓  residual traffic continues to node

Lorikeet nodes: on-node iptables Auto-fired kernel-level rules drop any residual attack packets before reaching application processes

clean traffic only

"We had 240 people in a live cybersecurity event and took close to 50 gigabits of attack traffic mid-session. The Flowtriq alert landed in our Slack before I'd even registered anything was wrong on the dashboard. By the time I pulled up the incident view, the on-node rules had already fired, BGP FlowSpec was pushed to our upstream, and cloud scrubbing was routing traffic through an additional layer. Full mitigation stack active in under 15 seconds from detection. Not one participant noticed anything happened."

RW

Ryan Wilke

CEO & Founder, Lorikeet Security

Outcomes

240 / 240

Participants stayed connected throughout the full event

11 seconds

From first packet detected to upstream BGP FlowSpec rule active

Zero downtime

All three nodes remained fully operational throughout the 38-minute attack

Full PCAP

Automated capture available for post-incident forensics and upstream ISP coordination

2 vectors neutralised

NTP amplification and SYN flood handled with independent targeted rules

Uplink recovered

48 Gbps scrubbed upstream; bandwidth never exhausted at Lorikeet's edge

Business impact: Lorikeet's contract for the March 27 event with [enterprise client, name redacted per NDA] carried a formal uptime SLA for the contracted training window, with breach provisions triggered by any outage exceeding 15 consecutive minutes and a mandatory reschedule obligation at Lorikeet's cost. A manual response to a 48 Gbps multi-vector attack would typically require 30 to 60 minutes under best-case conditions. The automated mitigation cycle completed in under 20 seconds. No SLA clause was triggered. No reschedule was required.

What Lorikeet Does Now

Following the March 27 event, Lorikeet Security standardised Flowtriq across all event infrastructure as a required component of pre-flight. Every session now includes a dedicated infrastructure check: FlowSpec adapter connected, cloud scrubbing integrations verified, alert channels confirmed and routed to whoever is on duty that day. Flowtriq runs year-round on all three nodes. Since March, it has automatically blocked two additional lower-volume probes against the CTF server without any manual intervention required.

"Every event now runs a Flowtriq pre-flight before we let participants in. FlowSpec connected, cloud scrubbing verified, alerts confirmed. It's become as standard as checking that the VPNs are up. Since March we've had two more automated blocks on the CTF server. I didn't even know about them until I checked the incident log."

Ryan Wilke, CEO & Founder, Lorikeet Security

Flowtriq Features Used

  • Per-second anomaly detection: ftagent on each node, monitoring PPS/BPS deviations against dynamic baselines
  • Multi-vector co-detection: both attack vectors flagged in a single incident within the same detection cycle
  • Slack alerting: real-time incident notification with classification, affected nodes, and live dashboard link
  • Auto-mitigation rules: pre-configured iptables rules pushed automatically on matching attack signatures
  • BGP FlowSpec adapter: upstream rules pushed to transit provider edge routers via Flowtriq's one-click interface
  • Cloud scrubbing integration: cloud-layer scrubbing activated alongside BGP FlowSpec for a unified upstream mitigation approach
  • PCAP capture: automatic packet capture triggered at incident detection, stored for forensics and download
  • Live incident view: real-time traffic graphs, source IP map, and mitigation controls in the dashboard

Flowtriq attack correlation panel showing multi-vector attack stats across the platform: 38 min avg duration, 20,540 avg source IPs, botnet and IP spoofing in 100% of similar attacks

Attack correlation across the Flowtriq platform · Multi-vector attacks: 38 min avg duration · Botnet detected in 100% · IP spoofing in 100%

Protect your next live event, or any infrastructure that can't afford downtime

Flowtriq takes under two minutes to deploy. Per-second detection, automatic mitigation, BGP FlowSpec upstream rules, and instant alerts. Starting at $9.99/node/month.

Start Free Trial →

No credit card required  ·  7-day free trial

Back to Blog

Related Articles