Server Requirements & Specifications
CoreDetection is an AI-powered flow-based DDoS detection appliance. Sizing is driven by flow volume (flows/sec), not line-rate — pick the configuration that matches your network scale and retention requirements.
CoreDetection — Hardware by Throughput Tier
Pick the tier that matches the peak traffic the appliance must observe. Because CoreDetection analyzes flow records (not raw packets), sizing tracks flow volume rather than line-rate — the figures below assume typical flow sampling for each tier.
| Resource | 10 Gbps | 100 Gbps | 400 Gbps | 1 Tbps |
|---|---|---|---|---|
| CPU cores | 4–8 | 16 | 32 | 64+ |
| RAM | 16 GB | 32–64 GB | 128 GB | 256 GB+ |
| Disk (NVMe SSD) | 200 GB | 1 TB | 2–4 TB | 4 TB+ (RAID) |
| NIC (data/ingest) | 10 GbE | 2× 25 GbE | 100 GbE | 2× 100 GbE |
| Flow sampling | 1:1000 | 1:4096 | 1:8192 | 1:16384 |
| Deployment | Single server | Single server | Single server (NVMe RAID) | Dedicated / NUMA-tuned |
Sizing is driven by flow volume (flows/sec), not attack traffic. The detector sees sampled flow records, so a higher line-rate is handled by a higher sampling ratio without a linear increase in CPU. Disk scales mainly with how long you retain flow history.
For multi-terabit edges, you can also run the flow collector + database on a separate host from the detector, or shard ingest across multiple collectors. Contact us for a tailored reference architecture beyond 1 Tbps.
Reference Build
The table below is the CoreTech reference hardware profile for a production CoreDetection detection node. Equivalent components from other vendors are acceptable provided they meet the same performance and driver requirements.
| Component | Specification |
|---|---|
| Form factor | 1U rackmount server |
| CPU | 1× AMD EPYC 9124 — 16 cores @ 3.0 GHz |
| RAM | 32 GB (1× 32 GB) or 64 GB (2× 32 GB DDR5-4800 ECC) |
| Storage | BOSS-N1 controller card + 480 GB M.2 NVMe SSD |
| Management NIC | Embedded dual-port 1 GbE (2× RJ45) — out-of-band access |
| Flow ingest NIC | 1× Intel E810-XXV dual-port PCIe — 2× 25 GbE SFP28 |
| Data NIC | 1× NVIDIA ConnectX-6 Dx dual-port PCIe — 2× 100 GbE QSFP56 |
CoreDetection ingests sampled flow records (NetFlow / IPFIX / sFlow), not raw packet streams — the Intel E810 handles flow telemetry ingest while the ConnectX-6 Dx provides high-bandwidth connectivity for BGP sessions and optional inline paths. Scale RAM to 64 GB for higher flow volumes or longer retention windows.
Operating System
- Linux x86-64 with
systemd(Ubuntu 22.04/24.04 LTS or Debian 12 recommended). - Docker Engine 24+ and the Docker Compose plugin (built-in flow pipeline).
- Root /
sudoaccess for installation and service registration. - Accurate system clock (NTP/chrony) — the license enforces anti-rollback clock checks.
Network & Ports
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 2055 / 4739 / 6343 | UDP | Inbound | Flow ingest (NetFlow / IPFIX / sFlow) from routers |
| 179 | TCP | Out / In | BGP sessions — CoreDetection blackhole & FlowSpec announcements |
| 9009 | TCP | Inbound | CoreDetection REST API (configurable) |
| 443 / 80 | TCP | Outbound | License-package download & container images at install time |
Expose API port
9009 only to trusted management hosts. The API uses API-key authentication; for internet exposure place it behind a TLS reverse proxy (nginx/Traefik) and a firewall. See Configuration → Security.Router Prerequisites
- Ability to export flow telemetry (NetFlow v9 / IPFIX / sFlow) to the CoreDetection server.
- A BGP-capable edge router to receive blackhole/mitigation announcements (optional but required for automatic mitigation).
- A blackhole community / next-hop policy configured on the router (e.g.
65001:666).
What's Included
CoreDetection ships as a complete, self-contained appliance. The installer provisions every module automatically — you do not assemble or install anything by hand:
| Module | Role |
|---|---|
| Flow Collector | Receives and enriches router flow exports (NetFlow / IPFIX / sFlow) |
| Flow Store | High-performance storage of flow records for analysis |
| Ingest Pipeline | Buffers and streams flows into the engine at scale |
| Detection Engine | Attack detection, BGP speaker, and REST API |
| GoBGP | BGP blackhole and FlowSpec route announcements |
Licensing
- CoreDetection requires a valid per-server license issued by CoreTech, bound to the server's unique ID and verified locally (offline). Annual license covers software updates and support.
- See Installation → License Activation for the activation flow.
Air-gapped / isolated networks are supported at runtime. Internet access is only needed once, at install time, to pull container images and the license package.