Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
IOC Pattern Matching
Identify Mirai, LOIC & botnets via payload-level indicator matching.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Status Pages
Auto-updated public incident pages for your users.
Real-Time Analytics Dynamic Baselines Threat Intel Multi-Node Maintenance Audit Log
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape Free Certifications NEW
Popular Guides
memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners White Label Referral Program Pay with Crypto System Status
Legal & Support
Contact Us Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs — see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs Small Operators
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services
Docs/BGP Mitigation

BGP Mitigation Engine

Auto-deploy FlowSpec rules, RTBH blackhole routes, and rate-limiting announcements via BGP

BGP mitigation requires admin or owner role. It works alongside firewall rules and cloud scrubbing -- all three can trigger on the same incident.

Overview

The BGP mitigation engine connects Flowtriq to your BGP speakers (ExaBGP, GoBGP) or upstream providers (Cloudflare, webhook). When an attack is detected, the engine automatically selects the right mitigation action and announces the corresponding BGP rule. Rules auto-expire after their TTL, and the engine handles retries, deduplication, and rate limiting.

Key Concepts

ConceptDescription
AdapterA BGP speaker or endpoint that receives mitigation commands (ExaBGP, GoBGP, Cloudflare, or webhook)
IntentThe type of mitigation: rate_limit_src, drop_protocol, drop_udp_port, blackhole
Escalation LevelFour levels: local (rate-limit), flowspec (drop), rtbh (blackhole), scrubbing (cloud divert)
Rule TTLHow long a rule stays active before auto-expiring (default: 300 seconds)
CooldownMinimum time between rules for the same target (default: 60 seconds)

Escalation Policy

The escalation policy determines which mitigation level is applied based on attack bandwidth. Thresholds are configurable per workspace.

LevelDefault ThresholdAction
Local (Rate-Limit)> 100 MbpsFlowSpec rate-limiting rules throttle attack traffic
FlowSpec (Drop)> 500 MbpsFlowSpec drop rules filter specific protocols/ports
RTBH (Blackhole)> 2 GbpsRTBH announces target with community 65535:666
Cloud Scrubbing> 5 GbpsDiverts traffic to upstream scrubbing provider

To configure thresholds, go to Dashboard → Mitigation → Escalation tab.

Setting Up an Adapter

ExaBGP

  1. Install ExaBGP on your border router or a dedicated route server
  2. Configure ExaBGP with an HTTP API listener (default port 5000)
  3. In Flowtriq, go to Dashboard → Mitigation → BGP Adapters
  4. Click Add Adapter, select type ExaBGP
  5. Enter the endpoint URL (e.g. http://10.0.0.1:5000) and optional auth token
  6. Configure the BGP neighbor IP and max prefix length safety limit
  7. Select capabilities (FlowSpec, RTBH, rate-limiting)
  8. Click Test to verify connectivity

GoBGP

  1. Install GoBGP and configure the gRPC/REST API
  2. In Flowtriq, add a new adapter with type GoBGP
  3. Enter the API endpoint URL and auth token
  4. GoBGP supports the same FlowSpec and RTBH capabilities as ExaBGP

Cloudflare (Magic Transit)

  1. Requires a Cloudflare account with Magic Transit enabled
  2. Add a new adapter with type Cloudflare
  3. Enter your API token (needs Account:IP Prefixes:Edit scope) and account ID
  4. Cloudflare adapter supports blackhole (prefix advertisement) intent

Webhook

  1. Set up an HTTP endpoint that accepts POST requests with JSON body
  2. Add a new adapter with type Webhook
  3. Enter the endpoint URL, auth token, and optional custom headers
  4. Webhook receives structured JSON with rule details, intent, target, and action (announce/withdraw)

Attack Type Mapping

The engine maps each classified attack type to specific mitigation intents:

Attack FamilyIntentDetails
UDP Flooddrop_protocolDrop all UDP to target
TCP SYN Floodrate_limit_srcRate-limit TCP to target
ICMP Flooddrop_protocolDrop all ICMP to target
DNS Amplificationdrop_udp_portDrop UDP port 53
NTP Amplificationdrop_udp_portDrop UDP port 123
SSDP Amplificationdrop_udp_portDrop UDP port 1900
Memcached Amplificationdrop_udp_portDrop UDP port 11211
Unknown / High Volumerate_limit_srcConservative rate-limiting (only above 500 Mbps)

Event Pipeline

Attack events flow through the following stages before a BGP rule is announced:

  1. Queue: Events from lib/notifications.php are queued in mitigation_event_queue with priority scores
  2. Aggregation: Events within the aggregation window (default 5s) targeting the same IP+protocol+port+family are collapsed
  3. Validation: Target IP must be public IPv4 (private/reserved IPs rejected, /24 minimum prefix)
  4. Intent Generation: Attack type determines the FlowSpec/RTBH intent
  5. Escalation: Attack bandwidth determines whether intent is upgraded to a higher level
  6. Deduplication: If an active rule already exists for this target+intent, the event is skipped
  7. Rate Limiting: Sliding window ensures max N rules/minute per tenant (default: 30)
  8. Cooldown: Same target cannot receive a new rule within the cooldown period (default: 60s)
  9. Adapter Selection: Best adapter is scored by capability match and last test status
  10. Announce: Rule is dispatched to the adapter with full payload logging

Lifecycle Management

The cron job cron/mitigation-lifecycle.php runs every minute and handles:

  • Queue processing: Processes up to 100 pending events per cycle
  • TTL expiry: Withdraws rules that have exceeded their TTL
  • Retry: Re-attempts failed announcements with exponential backoff
  • Cleanup: Removes stale queue entries and expired rate-limit records
Cron required: Add this to your crontab: * * * * * php /var/www/flowtriq.com/html/cron/mitigation-lifecycle.php

Manual Rules

Create rules manually from the Manual Rule tab in the dashboard. Specify:

  • Target IP (public IPv4 only)
  • Intent type (rate-limit, drop protocol, drop port, blackhole)
  • Protocol and port (for drop rules)
  • Rate limit value (for rate-limit intent)
  • TTL in seconds
  • Escalation level override
  • Specific adapter (or auto-select)

API Endpoints

The mitigation API is at /api/dash/mitigation:

MethodActionDescription
GET?action=rulesList active mitigation rules
GET?action=historyList rule history (last 100)
GET?action=adaptersList configured adapters
GET?action=escalationGet escalation policy
GET?action=logGet activity log
GET?action=metricsGet mitigation metrics (active rules, queue depth, etc.)
POST?action=save_adapterCreate or update an adapter (admin+)
POST?action=delete_adapterDelete an adapter (admin+)
POST?action=test_adapterTest adapter connectivity (admin+)
POST?action=save_escalationSave escalation policy (admin+)
POST?action=create_ruleCreate a manual rule (admin+)
POST?action=withdraw_ruleManually withdraw a rule (admin+)

Safety Guards

  • IPv4 only: IPv6 targets are rejected (roadmap)
  • No private IPs: RFC 1918, link-local, loopback, and reserved ranges are blocked
  • /24 minimum prefix: Prevents overly broad blackholes
  • Rate limiting: Configurable max rules per minute (default: 30)
  • Cooldown: Same target cannot receive a new rule within the cooldown period
  • Global cap: Maximum 200 active rules per tenant
  • Distributed locks: MySQL GET_LOCK() prevents duplicate announcements in multi-process deployments
  • Unknown attacks: Only mitigated above 500 Mbps with conservative rate-limiting