4-level auto-escalation:
DDoS mitigation without human intervention

Back to Blog

The Problem: Manual Escalation Is Too Slow

A typical DDoS attack reaches peak volume within 10 to 30 seconds. Meanwhile, a typical manual escalation process looks like this: monitoring tool fires an alert, an on-call engineer acknowledges it, logs into the dashboard, evaluates the attack, decides on a mitigation strategy, and executes it. Best case, that takes 5 to 15 minutes. For a volumetric attack saturating your uplinks, those minutes mean total service outage for every customer behind that link.

The gap between attack speed and human response speed is the fundamental problem. Attackers know this. Modern botnets are designed to hit hard and fast, overwhelming infrastructure before defenders can react. Some attacks pulse in short bursts - 60 seconds on, 60 seconds off - specifically to frustrate manual triage.

The average time-to-mitigate for manually handled DDoS attacks is 10+ minutes. Flowtriq's auto-escalation reduces that to under 2 seconds for Level 1 and under 10 seconds for Level 4.

What you need is a system that detects, classifies, and mitigates automatically - escalating through increasingly aggressive defenses only when necessary. That is exactly what Flowtriq's 4-level auto-escalation chain does.

The 4-Level Escalation Chain

Flowtriq's auto-escalation is a tiered defense system. Each level is more aggressive than the last, and each is triggered automatically based on attack severity thresholds. The system always starts at Level 1 and escalates only when the current level cannot contain the attack.

Level 1: Local Firewall Rules (iptables/nftables)

The first line of defense. When Flowtriq detects attack traffic, it immediately pushes firewall rules to the affected node. These rules drop malicious packets at the kernel level using iptables or nftables, depending on your system configuration.

• Response time: Under 2 seconds from detection to rule deployment.
• Effective against: Single-source floods, protocol-specific attacks (SYN floods, UDP amplification), attacks under your link capacity.
• Capacity: Handles attacks up to roughly 1-2 Gbps on modern hardware with kernel-level filtering.
• Impact: Zero. Only attack traffic is dropped. Legitimate traffic flows normally.

# Example: auto-generated nftables rules for a SYN flood
nft add rule inet filter input \
  ip saddr { 203.0.113.0/24, 198.51.100.0/24 } \
  tcp dport 80 tcp flags syn \
  counter drop

# Rate limiting for UDP amplification
nft add rule inet filter input \
  udp sport { 53, 123, 161, 1900 } \
  limit rate over 10000/second \
  counter drop

Level 1 is fast, surgical, and has zero collateral impact. For the majority of small to medium attacks, this is all you need. Flowtriq monitors the attack in real time; if the firewall rules successfully reduce malicious traffic to zero, escalation stops here.

Level 2: BGP FlowSpec

When attack volume exceeds what the local firewall can handle - typically because the traffic is saturating your inbound link before it even reaches your server - Flowtriq escalates to BGP FlowSpec. FlowSpec pushes granular filtering rules directly to your upstream router, dropping attack traffic at the network edge.

• Response time: Under 5 seconds. Flowtriq pushes FlowSpec rules via BGP session to your edge router.
• Effective against: Volumetric attacks that exceed host capacity but can be described by specific patterns (source prefix, destination port, protocol, packet length, DSCP).
• Capacity: Limited by your router's hardware - typically handles tens of Gbps.
• Impact: Minimal. FlowSpec rules are surgical: they match specific traffic patterns, not entire prefixes.

# Example: FlowSpec rule pushed to edge router
# Drops UDP traffic from 203.0.113.0/24 to port 80
flow {
  match destination 198.51.100.10/32;
  match source 203.0.113.0/24;
  match protocol udp;
  match destination-port 80;
  then discard;
}

Level 3: RTBH (Remote Triggered Black Hole)

If the attack overwhelms even your router's FlowSpec capacity - or if FlowSpec rules cannot adequately describe the attack traffic - Flowtriq escalates to RTBH. This announces a blackhole route for the targeted prefix to your upstream providers, causing them to drop all traffic destined for that IP at their edge.

• Response time: Under 8 seconds. Flowtriq announces the /32 blackhole route via BGP with the appropriate provider communities.
• Effective against: Massive volumetric attacks that saturate your upstream links. Attacks with diverse, unspoofable source profiles that resist FlowSpec filtering.
• Capacity: Unlimited. Traffic is dropped at the provider edge before it touches your infrastructure.
• Impact: High for the targeted IP. All traffic to the blackholed IP is dropped, including legitimate users. The rest of your network is fully protected.

RTBH is a sacrifice play: you lose one IP to save the rest of the network. Flowtriq only escalates to Level 3 when the attack is severe enough that losing one IP is better than losing everything.

Level 4: Cloud Scrubbing

The final escalation tier. When an attack is so large that even RTBH is not an acceptable response - because the targeted IP runs a critical service that cannot go offline - Flowtriq activates upstream cloud scrubbing. Traffic is rerouted through a scrubbing provider that absorbs the attack and forwards only clean traffic back to your infrastructure.

• Response time: Under 10 seconds. Flowtriq triggers the scrubbing activation via API integration with your provider.
• Effective against: Any volumetric attack, regardless of size. Multi-hundred-Gbps floods that would overwhelm any on-premise solution.
• Capacity: Depends on the scrubbing provider - typically 1 Tbps+ absorption capacity.
• Impact: Near-zero. Legitimate traffic is forwarded after scrubbing. Latency increases by 2-10 ms during scrubbing.

Flowtriq integrates with major scrubbing and DDoS protection providers:

• Cloudflare Magic Transit — global Anycast network, 300+ Tbps capacity
• OVH VAC — built-in for OVH infrastructure, automatic activation
• Path.net — BGP-based scrubbing for bare-metal and colocation
• Voxility — European scrubbing network with peering presence
• Hetzner DDoS Protection — integrated protection for Hetzner-hosted infrastructure

How Escalation Triggers Work

Each escalation level is triggered by configurable thresholds based on attack severity. Flowtriq evaluates three metrics in real time:

1. Packets per second (PPS): The raw packet rate of identified attack traffic.
2. Bits per second (BPS): The bandwidth consumed by attack traffic.
3. Mitigation effectiveness: Whether the current level is actually reducing attack impact. If Level 1 firewall rules are deployed but inbound bandwidth is still climbing, the current level is not working.

Default escalation thresholds (fully customizable per node):

Level   Trigger Condition
────────────────────────────────────────────────────
L1      Attack detected (any volume)
L2      Attack > 500 Mbps OR L1 ineffective for 10s
L3      Attack > 5 Gbps OR L2 ineffective for 15s
L4      Attack > 20 Gbps OR L3 activated on critical IP

The key insight is the "ineffective" condition. Flowtriq does not just look at absolute thresholds; it evaluates whether the current mitigation level is actually working. If Level 1 firewall rules are in place but traffic is still growing, the system escalates even if the absolute threshold for Level 2 has not been reached. This prevents situations where an attack sits just below a threshold but still causes damage.

How De-Escalation Works

Escalation is only half the equation. Equally important is knowing when to stand down. Flowtriq handles de-escalation automatically using a staged withdrawal process:

1. Attack subsides: Flowtriq detects that attack traffic has dropped below the current level's activation threshold for a sustained period (default: 5 minutes, configurable).
2. Step down one level: The system withdraws the highest active mitigation and drops to the level below. For example, if Level 3 (RTBH) and Level 1 (firewall) are both active, it withdraws the RTBH first.
3. Monitor and hold: After stepping down, Flowtriq monitors for 2 minutes to confirm the attack does not resume. If it does, re-escalation is instant.
4. Continue stepping down: If traffic remains clean, the system continues de-escalating one level at a time until all mitigation rules are removed.

De-escalation is always slower than escalation by design. Escalation needs to be fast (seconds), but de-escalation should be cautious (minutes). Removing mitigation too early and getting hit again is worse than keeping defenses up a few minutes longer.

For Level 3 (RTBH) specifically, Flowtriq waits a longer default cool-down of 30 minutes before withdrawing the blackhole route. This accounts for the common pattern where attackers pause and resume once they detect the target is reachable again.

Real-World Scenario Walkthrough

Here is how auto-escalation plays out across three different attack scenarios on a server with a 10 Gbps uplink:

Scenario 1: 500 Mbps UDP Flood

1. T+0s: Flowtriq detects a UDP amplification flood at 500 Mbps targeting port 443.
2. T+1.5s: Level 1 activated. nftables rules deployed to drop UDP packets from amplification source ports (53, 123, 161, 1900).
3. T+3s: Attack traffic drops to near zero at the host. Inbound link utilization returns to normal.
4. Result: Attack fully mitigated at Level 1 in under 3 seconds. No escalation needed. No service impact.

Scenario 2: 10 Gbps Multi-Vector Attack

1. T+0s: Flowtriq detects a SYN flood at 2 Gbps targeting port 80.
2. T+1.5s: Level 1 activated. iptables SYN rate limiting rules deployed.
3. T+8s: Attack escalates to 10 Gbps. Attacker adds UDP and GRE flood vectors. Inbound link is saturated. Level 1 is ineffective because traffic is being dropped upstream by congestion, not by the firewall.
4. T+12s: Level 2 activated. FlowSpec rules pushed to edge router, filtering by source prefixes, protocols, and packet characteristics.
5. T+15s: FlowSpec rules reduce attack traffic by 70%. Link utilization drops to 3 Gbps.
6. T+20s: Remaining 3 Gbps is from randomized sources that evade FlowSpec patterns. Flowtriq detects Level 2 is partially ineffective.
7. T+35s: Level 3 activated. RTBH announced for the targeted /32. All traffic to the target IP is dropped at the provider edge. Link fully recovers.
8. T+35min: Attack stops. Flowtriq begins de-escalation. RTBH withdrawn after 30-minute cool-down. FlowSpec rules removed 5 minutes later. Firewall rules removed 5 minutes after that.
9. Result: Network protected within 35 seconds. Targeted IP was unreachable for ~35 minutes. All other services unaffected throughout.

Scenario 3: 100 Gbps Volumetric Flood

1. T+0s: Flowtriq detects a massive DNS amplification flood at 100 Gbps targeting a critical web server IP.
2. T+1.5s: Level 1 activated (firewall rules deployed but ineffective - link is completely saturated).
3. T+5s: Level 2 activated (FlowSpec rules pushed but router is overwhelmed by sheer volume).
4. T+8s: Level 3 would normally activate, but this IP is flagged as critical (cannot be blackholed). Flowtriq skips Level 3.
5. T+9s: Level 4 activated. Flowtriq triggers Cloudflare Magic Transit via API. BGP announcement reroutes the target prefix through Cloudflare's scrubbing network.
6. T+25s: Cloudflare begins absorbing the flood. Clean traffic is tunneled back to origin. Service is restored.
7. T+3h: Attack subsides. Flowtriq initiates de-escalation. Cloud scrubbing is deactivated after a 30-minute observation period. Lower levels are unwound over the next 15 minutes.
8. Result: Service disruption limited to approximately 25 seconds. No data loss. No human intervention required.

Configuring Escalation in the Dashboard

Auto-escalation is configured per node in the Flowtriq dashboard under Mitigation → Auto-Escalation. For each node, you can:

• Enable or disable each level: Not every node needs all four levels. A development server might only need Level 1. A production edge node might need all four.
• Set custom thresholds: Override the default BPS and PPS thresholds for each escalation trigger.
• Mark IPs as critical: Critical IPs skip Level 3 (RTBH) and go directly to Level 4 (cloud scrubbing) when Levels 1-2 are insufficient.
• Configure cool-down timers: Set how long each level waits before de-escalating.
• Set provider integrations: Configure BGP sessions for FlowSpec and RTBH, and API credentials for cloud scrubbing providers.
• Test escalation: Run a dry-run simulation that walks through the escalation chain without deploying any actual rules.

Benefits of Automated Escalation

Replacing manual escalation with Flowtriq's automated chain delivers measurable improvements:

• Zero human intervention: The entire escalation and de-escalation cycle runs without anyone touching a keyboard. Your team gets notified, but they do not need to act unless they choose to override.
• Sub-second detection, single-digit-second mitigation: Level 1 deploys in under 2 seconds. Even Level 4 (cloud scrubbing) activates in under 10 seconds. Compare that to the 10-15 minute average for manual response.
• No single point of failure: Four independent mitigation mechanisms mean that if one fails or is insufficient, the next takes over automatically. Local firewall down? FlowSpec handles it. FlowSpec router overloaded? RTBH kicks in. RTBH too aggressive for a critical IP? Cloud scrubbing absorbs it.
• Proportional response: The system always uses the least aggressive mitigation that works. A 200 Mbps attack does not trigger RTBH. A 100 Gbps attack does not waste time on firewall rules alone. Each attack gets the right response.
• Automatic de-escalation: Defenses are removed when no longer needed. No forgotten blackhole routes silently dropping traffic days after an attack ended.
• 24/7 coverage: Attacks at 3 AM on a Saturday are mitigated just as effectively as attacks during business hours. No reliance on on-call response times.

Get started with Flowtriq's free 7-day trial and configure auto-escalation for your infrastructure in minutes.

Back to Blog

Related Articles