Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
IOC Pattern Matching
Identify Mirai, LOIC & botnets via payload-level indicator matching.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Status Pages
Auto-updated public incident pages for your users.
Real-Time Analytics Dynamic Baselines Threat Intel Multi-Node Maintenance Audit Log
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape Free Certifications NEW
Popular Guides
memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners White Label Referral Program Pay with Crypto System Status
Legal & Support
Contact Us Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs — see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs Small Operators
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services
Docs/IP Reputation

IP Reputation Database

Flowtriq maintains a global IP reputation database built from real attack data across the entire network. Every source IP involved in a DDoS incident is recorded, scored, and made available for lookup. This gives you cross-network intelligence on attack sources without compromising anyone's privacy.

How It Works

A background aggregator runs every 15 minutes, scanning resolved incidents for source IPs. These IPs are upserted into the ip_reputation table with the following data points:

  • Attack count — How many incidents this IP has been involved in
  • Networks seen — How many distinct Flowtriq-protected networks this IP has targeted (anonymized count only)
  • Risk score — 0–100 composite score based on attack frequency, volume, cross-network visibility, and recency
  • Attack family — The most common attack type (UDP flood, SYN flood, HTTP flood, etc.)
  • Protocol — Dominant protocol observed (TCP, UDP, ICMP)
  • ASN & Country — Network and geographic origin
  • Peak PPS — Maximum packets-per-second observed from this IP
  • First/last seen — Date range of activity

Risk Score Calculation

Risk scores are computed from multiple signals:

SignalWeightExample
Attack countUp to 70 points50+ attacks = 70 pts
Cross-network visibilityUp to 25 points10+ networks = 25 pts
Peak volumeUp to 10 points10M+ PPS = 10 pts
Recency decay-10 to -20 points30+ days old = -10 pts

IPs must have at least 2 recorded attacks to appear in the database. Single-incident IPs are not tracked, to reduce noise and avoid false positives.

Where Reputation Data Appears

  • Incident page — An "IP Reputation Intelligence" card shows cross-network data for the source ASN, country, and known attacker IPs matching the attack type. This card only appears when meaningful data exists.
  • Threat Intelligence page — An "IP Reputation" tab shows the full database: top offenders, country breakdown, attack family distribution, and a searchable table of all tracked IPs.
  • API — Lookup, bulk lookup, stats, and top offenders endpoints for programmatic access.

API Endpoints

Single IP Lookup

GET /api/dash/reputation.php?action=lookup&ip=185.220.101.34

Returns risk score, attack count, networks seen, attack family, ASN, country, peak PPS, first/last seen, and your tenant's incident history for that IP.

Bulk Lookup

GET /api/dash/reputation.php?action=bulk&ips=1.2.3.4,5.6.7.8,9.10.11.12

Accepts up to 50 comma-separated IPs. Returns reputation data for any that have 2+ recorded attacks.

Database Stats

GET /api/dash/reputation.php?action=stats

Returns total IPs tracked, high/medium/low risk counts, top countries, and top attack families.

Top Offenders

GET /api/dash/reputation.php?action=top&limit=20

Returns the highest-risk IPs sorted by risk score, limited to the specified count (max 100).

Privacy

The reputation database is fully anonymized. Only the count of distinct networks is stored — never tenant IDs, workspace names, or server addresses. An IP record says "this IP has attacked 17 networks" without revealing which networks. Data older than 90 days is automatically pruned.

Data Retention

  • IPs with no activity for 90 days are automatically deleted
  • Risk scores decay over time if no new attacks are observed
  • The aggregator runs every 15 minutes via cron