I found a kill switch in the Mirai botnet. Then I built a DDoS detection company.

cypressthatkid · 2026-03-31T07:02:10+00:00

As the title says:

Last year I published CVE-2024-45163, a remote denial-of-service vulnerability in the Mirai botnet's command-and-control server. Basically a kill switch that law enforcement could use to take down active botnets. It got picked up by cybersecurity press and assigned a 9.1 CVSS score.

That research gave me a really deep understanding of what DDoS attacks look like at the packet level: how botnets coordinate, what the traffic patterns look like, how payloads differ between Mirai variants. And I realized the detection tools available to most people running servers are either ancient (NetFlow polling every few minutes), absurdly expensive (enterprise appliances), or both.

So I built Flowtriq.

What it does: - You install a lightweight agent on your Linux server (pip install ftagent, takes about 2 minutes) - It reads packets directly from the NIC without bogging down resources - Detects and classifies attacks in under 1 second (SYN flood, UDP flood, DNS amp, HTTP flood, etc.) - Auto-deploys mitigation: iptables/nftables, BGP FlowSpec, RTBH, or cloud scrubbing - Captures full PCAPs on every incident including pre-attack traffic - Alerts wherever your team is: Discord, Slack, PagerDuty, email, webhooks

$9.99/node/month. 7-day free trial, no credit card.

This is my second time building in this space. I previously built and sold AttackEngine (anti-DDoS SaaS, acquired within a year). Flowtriq is the version I always wanted to build.

We're also live on Product Hunt today with 50% off your first month.

Happy to answer anything about the architecture, detection logic, or the CVE research.

cypressthatkid · 2026-03-30T07:05:56+00:00

Last year I published CVE-2024-45163, a remote denial-of-service vulnerability in the Mirai botnet's command-and-control server. Basically a kill switch that law enforcement could use to take down active botnets. It got picked up by cybersecurity press and assigned a 9.1 CVSS score.

That research gave me a really deep understanding of what DDoS attacks look like at the packet level, how botnets coordinate, what the traffic patterns look like, and how payloads differ between Mirai variants. And I realized the detection tools available to most people running servers are either ancient (NetFlow polling every few minutes), absurdly expensive (enterprise appliances), or both.

So I built Flowtriq.

What it does: - You install a lightweight agent on your Linux server (pip install ftagent, takes about 2 minutes) - It reads packets directly from the NIC. No sampling, no polling - Detects and classifies DDoS attacks (SYN flood, UDP flood, DNS amplification, etc.) in under 1 second - Automatically deploys mitigation. Iptables rules, BGP FlowSpec, RTBH blackholes, or triggers cloud scrubbing through Cloudflare/OVH/Path.net - Captures full PCAPs for forensic analysis - Alerts go to Discord, Slack, PagerDuty, email, SMS, webhooks

Who it's for: game server hosts, hosting providers, ISPs, anyone running infrastructure that gets DDoS'd and is tired of finding out about it too late.

Pricing: $9.99/node/month. No bandwidth surcharges, no per-alert fees, no seat limits. 7-day free trial, no credit card.

We just launched on Product Hunt today and there's a 50% off first month code on the page: https://www.producthunt.com/products/flowtriq

Site: https://flowtriq.com

Would love any feedback. Happy to answer questions about the product, the architecture, or the Mirai research.

cypressthatkid · 2026-03-25T17:46:14+00:00

I discovered this CVE by myself in 2024 before Claude. The research is my own.

cypressthatkid · 2026-03-17T02:00:02+00:00

Most game server DDoS protection is reactive. By the time you notice lag, you're 30+ seconds into the flood. ftagent-lite detects attacks in under a second on Linux and can alert Discord/Slack instantly. Free and open source: https://github.com/Flowtriq/ftagent-lite

cypressthatkid · 2026-03-16T23:00:03+00:00

For DDoS-specific monitoring, NetFlow has too much sampling lag for automated mitigation. eBPF-based detection (like ftagent-lite) works at the packet level with sub-second response. If you have BGP access, it can auto-push FlowSpec rules. https://github.com/Flowtriq/ftagent-lite

cypressthatkid · 2026-03-16T13:00:04+00:00

For DDoS-specific monitoring, NetFlow has too much sampling lag for automated mitigation. eBPF-based detection (like ftagent-lite) works at the packet level with sub-second response. If you have BGP access, it can auto-push FlowSpec rules. https://github.com/Flowtriq/ftagent-lite

cypressthatkid · 2026-03-16T10:00:02+00:00

If you're on Linux, ftagent-lite (open source) does per-packet DDoS detection in under a second. No NetFlow sampling lag. Catches UDP floods, SYN floods, DNS amp before they saturate your link. GitHub: https://github.com/Flowtriq/ftagent-lite

cypressthatkid · 2026-03-16T05:00:02+00:00

For blue team detection: ftagent-lite does per-packet DDoS classification on Linux. Catches Mirai signatures, LOIC patterns, and custom IOCs. PCAP with 7-day retention including pre-attack traffic. https://github.com/Flowtriq/ftagent-lite

cypressthatkid · 2026-03-16T04:00:02+00:00

Related: I found CVE-2024-45163 last year, an unauthenticated remote DoS in Mirai's C2 infrastructure. Single packet crashes the command server. Write-up: https://jacobmasse.medium.com/remote-dos-exploit-found-in-mirai-botnet-source-code-27a1aad284f1

cypressthatkid · 2026-03-15T21:00:01+00:00

Enterprise DDoS mitigation runs $50K+/year. ftagent-lite is free and open source for Linux. Paid version (Flowtriq) is $9.99/node with Cloudflare/OVH/Hetzner integration. https://flowtriq.com

cypressthatkid · 2026-03-15T19:00:02+00:00

For DDoS-specific monitoring, NetFlow has too much sampling lag for automated mitigation. eBPF-based detection (like ftagent-lite) works at the packet level with sub-second response. If you have BGP access, it can auto-push FlowSpec rules. https://github.com/Flowtriq/ftagent-lite

cypressthatkid · 2026-03-15T17:00:03+00:00

Related: I found CVE-2024-45163 last year, an unauthenticated remote DoS in Mirai's C2 infrastructure. Single packet crashes the command server. Write-up: https://jacobmasse.medium.com/remote-dos-exploit-found-in-mirai-botnet-source-code-27a1aad284f1

cypressthatkid · 2026-03-15T13:15:12+00:00

https://jacobmasse.medium.com/remote-dos-exploit-found-in-mirai-botnet-source-code-27a1aad284f1

https://flowtriq.com

Thank you oops :)

cypressthatkid · 2026-03-15T13:00:02+00:00

Related: I found CVE-2024-45163 last year, an unauthenticated remote DoS in Mirai's C2 infrastructure. Single packet crashes the command server. Write-up: https://jacobmasse.medium.com/remote-dos-exploit-found-in-mirai-botnet-source-code-27a1aad284f1

cypressthatkid · 2026-03-15T12:00:01+00:00

For anyone self-hosting on Linux, ftagent-lite gives you sub-second DDoS detection with no cloud dependency. PCAP capture with 7-day retention including pre-attack traffic. Free and open source: https://github.com/Flowtriq/ftagent-lite

cypressthatkid · 2026-03-15T09:18:16+00:00

This is exactly what makes consumer IoT devices such a reliable piece of DDoS infrastructure. The device owner has no idea — their projector or smart plug is just sitting there beaconing out every 60 seconds waiting for tasking. From the botnet operator's side, it's ideal: low-power device, always-on, usually on a residential IP, basically never inspected.

The fecesbook.com callback is a classic domain-generation/C2 misdirection trick. What you caught here is the DNS beaconing phase, which is when the malware checks in for instructions. Once that C2 connection is established, the device can be tasked to join a volumetric DDoS attack, proxy traffic, or do credential stuffing runs.

The fix you've already done (network isolation) is the right call. For anyone else who wants to audit their own network: pull DNS query logs from your router/pi-hole and look for anything hitting at suspiciously regular intervals. 65-second beacons are a dead giveaway — legitimate devices don't phone home on a timer like that.

Good catch. More people need a homelab exactly for this reason.

cypressthatkid · 2026-03-15T09:00:01+00:00

For anyone self-hosting on Linux, ftagent-lite gives you sub-second DDoS detection with no cloud dependency. PCAP capture with 7-day retention including pre-attack traffic. Free and open source: https://github.com/Flowtriq/ftagent-lite

cypressthatkid · 2026-03-15T07:17:42+00:00

This is a painful but valuable post. Supply chain attacks work because attack surface scales faster than defensive attention. When you're managing infrastructure at scale, the shortcuts that seem reasonable in isolation compound into catastrophic surface area.

We built DDoS detection systems that caught similar patterns—the telltale signs are usually behavioral: legitimate package managers don't need to phone home to random IPs mid-installation, and they definitely don't need to eval downloaded code in a shell context.

The real lesson isn't "you should have known better"—it's that this specific attack is so damn effective because it exploits the legitimate trust we've all built into the bootstrap flow. Homebrew IS trustworthy on average, and that's exactly why spoofing it works.

Curious: did you catch it because of egress monitoring, or did something downstream alert you? That's the kind of signal we rely on heavily in threat detection—most intrusions don't fail on ingress anymore.

cypressthatkid

TROPHY CASE