Network Security

Real-Time DDoS Detection with Streaming SQL

Analyze network flow and request rate streams from Kafka continuously using SQL. RisingWave identifies volumetric floods, amplification attacks, and application-layer DDoS patterns within milliseconds, enabling mitigation before traffic overwhelms your infrastructure.

Start FreeReal-Time Alerting
Real-Time
Attack Detection
Flow and request streams evaluated continuously as each record arrives in Kafka, adding no analytics delay beyond the flow export interval of your network devices
SQL
Detection Rules
Express volumetric thresholds, protocol anomalies, and traffic distribution rules as SQL window aggregations over network flow streams
Multi-Vector
Attack Coverage
Detect volumetric floods, amplification attacks, TCP state exhaustion, and application-layer HTTP floods in a single SQL pipeline
Automated
Mitigation Triggers
Feed detection signals to WAF, anycast network, and firewall platforms via PostgreSQL interface for automated traffic scrubbing triggers

Why Streaming Detection

Why does DDoS detection require streaming traffic analysis?

Polling-based traffic analysis checks traffic volume every 30 or 60 seconds. A volumetric DDoS attack can saturate a network link in under 10 seconds. Streaming traffic analysis evaluates attack pattern rules against every network flow event as it arrives, detecting the onset of an attack within milliseconds and triggering mitigation before traffic overwhelms the targeted infrastructure.

FactorPolling / NetFlowRisingWave
Detection Latency30 to 60 seconds (polling)Milliseconds (streaming)
Mitigation WindowAttack in progress for minutesMitigation triggered at onset
Attack CoverageVolumetric threshold onlyMulti-vector pattern detection
InfrastructureNetFlow collector + SNMP pollsKafka + SQL streaming
  • Detect volumetric flood onset within milliseconds rather than at the next polling interval
  • Trigger mitigation at attack onset before traffic saturates the network link or application tier
  • Detect multi-vector attacks that combine volumetric, protocol, and application-layer techniques in a single SQL rule
  • Correlate attack traffic patterns across multiple ingestion points to distinguish coordinated DDoS from legitimate traffic spikes

Attack Patterns

What DDoS attack patterns does streaming SQL detect?

DDoS attacks range from simple volumetric floods to sophisticated multi-vector campaigns that combine network and application-layer techniques. SQL window aggregations over network flow and request streams can detect each pattern type within milliseconds because they evaluate traffic state continuously rather than on a polling schedule.

Volumetric Flood Detection

Detect UDP floods, ICMP floods, and TCP SYN floods by aggregating packet and byte rates per destination IP using SQL COUNT and SUM window aggregations over NetFlow or sFlow streams, triggering when rates exceed configurable thresholds in rolling 5-second windows

Amplification Attack Detection

Identify DNS, NTP, and SSDP amplification attacks by correlating outbound query volumes from your resolvers with inbound amplified response traffic in network flow streams, flagging when the response-to-query amplification ratio exceeds expected bounds

TCP State Exhaustion Detection

Detect SYN flood and TCP connection exhaustion attacks by tracking the ratio of SYN packets to established connections per destination in real time, identifying when the incomplete connection rate exceeds the threshold that indicates a state table exhaustion attack

Application-Layer HTTP Flood Detection

Identify HTTP flood attacks and slow-rate application-layer DDoS by aggregating request rates per source IP, user agent, and endpoint from web access log streams, correlating high request volume with low payload diversity to distinguish floods from legitimate traffic spikes

How It Works

How does RisingWave analyze traffic streams for DDoS detection?

RisingWave ingests network flow records and access log events from Kafka and evaluates DDoS detection rules as continuously updated SQL materialized views. Traffic aggregation state, per-source and per-destination rates, and protocol distribution metrics update incrementally with each arriving flow record. When aggregated metrics exceed attack thresholds, the detection view surfaces the attack attributes for automated mitigation triggers.

  • Create Kafka sources in RisingWave for NetFlow or sFlow records, DNS query logs, and web access logs using SQL CREATE SOURCE statements
  • Define traffic baseline materialized views that compute normal traffic rates per destination, protocol, and source IP range over rolling time windows
  • Write DDoS detection rules as SQL expressions comparing current traffic window aggregations against baseline views, flagging when deviation ratios exceed attack thresholds
  • Join detection signals with IP reputation tables and asset criticality data via stream-table joins to prioritize mitigation actions by target sensitivity
  • Feed detection output to WAF, anycast scrubbing, or firewall APIs via the PostgreSQL interface to trigger automated traffic diversion before the attack peak

Frequently Asked Questions

How do I detect a DDoS attack in real time using streaming network data?
How does streaming DDoS detection compare to traditional NetFlow analysis?
Can I distinguish DDoS traffic from legitimate traffic spikes?
How do I integrate DDoS detection signals with automated mitigation?

Detect DDoS attacks in milliseconds, trigger mitigation at onset

Analyze network flow streams in SQL and surface volumetric floods, amplification attacks, and HTTP floods before traffic overwhelms your infrastructure.

Start Free
Best-in-Class Event Streaming
for Agents, Apps, and Analytics
Start Free
SlackJoin our Slack
GitHubXLinkedInSlackYouTube
Sign up for our to stay updated.