Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
IOC Pattern Matching
Identify Mirai, LOIC & botnets via payload-level indicator matching.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Status Pages
Auto-updated public incident pages for your users.
Real-Time Analytics Dynamic Baselines Threat Intel Multi-Node Maintenance Audit Log
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape Free Certifications NEW
Popular Guides
memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners White Label Referral Program Pay with Crypto System Status
Legal & Support
Contact Us Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs — see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs Small Operators
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services
Docs/FAQ

Frequently Asked Questions

What does Flowtriq actually do?

It monitors PPS and BPS on your server every second, classifies attacks into 8 families, captures PCAP evidence, and alerts your team via 7+ channels. It can also trigger local firewall rules (e.g. iptables commands via the agent) on detection - though blocking large volumetric floods still requires your upstream provider.

Does the agent need root?

Yes. Scapy requires root to capture raw packets for IOC matching and PCAP recording. A reduced mode (no PCAP, no IOC) can work without root on servers where /proc/net/dev is readable.

What Linux distros are supported?

Any distro with /proc/net/dev. Tested on Ubuntu 20.04+, Debian 11+, CentOS 7+, AlmaLinux 8+, Rocky Linux 8+, Amazon Linux 2, and Arch.

How is PPS sampled?

/proc/net/dev is read once per second. The delta of the RX/TX packet counters gives PPS. Protocol split (TCP/UDP/ICMP) comes from /proc/net/snmp. Deep packet inspection is done via Scapy for IOC matching and TCP flag analysis.

What attack types are detected?

8 families: UDP Flood, SYN Flood, HTTP/L7 Flood, ICMP Flood, DNS Flood, Multi-Vector, and Unknown. Classification uses protocol breakdown, TCP flag analysis, destination port patterns, packet sizes, and IOC matching.

What if my server is offline during an attack?

The agent queues up to 2,000 metric events locally and flushes them when connectivity resumes. Incidents are opened locally and synced when back online.

How long are PCAPs stored?

7 days on Per Node plans, 365 days on Enterprise. Downloads are via signed URL (1-hour expiry).

Can I self-host the API?

Not currently. Flowtriq is a hosted SaaS. Contact us if self-hosted enterprise deployment is a requirement.

How accurate is the AI classification?

Classification confidence ranges from 5% to 98% depending on available evidence. The system uses protocol breakdown, TCP flag analysis, packet size distribution, TTL diversity, IOC signature matching, and GeoIP data. Incidents with PCAP captures achieve the highest confidence scores.

What is the pricing model?

$9.99/node/month or $7.99/node/year. Unlimited team members, unlimited incidents, unlimited alerts. 7-day free trial, no credit card required. Enterprise plans available for volume discounts, extended retention, SSO, and SLAs.

How do escalation policies work?

You define steps with a delay (minutes), minimum severity threshold, and target channels. If an incident remains active past each step's delay AND meets the severity threshold, those channels fire. Without a policy, all active channels fire immediately.

Can I use Flowtriq with Kubernetes?

Yes. Run the FTAgent as a DaemonSet on each node, or as a sidecar in pods that need monitoring. The agent communicates with the API over HTTPS.