Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
IOC Pattern Matching
Identify Mirai, LOIC & botnets via payload-level indicator matching.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Status Pages
Auto-updated public incident pages for your users.
Real-Time Analytics Dynamic Baselines Threat Intel Multi-Node Maintenance Audit Log
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape Free Certifications NEW
Popular Guides
memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners White Label Referral Program Pay with Crypto System Status
Legal & Support
Contact Us Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs — see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs Small Operators
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services
Docs/Firewall Rules

Firewall Rules

Firewall rules let Flowtriq automatically run commands on a node the moment an attack is detected - without waiting for a human to respond. Rules are evaluated in real time as each incident opens.

Scope: Firewall rules run commands on the monitored server via the agent (e.g. iptables rules). For large volumetric floods that saturate your link, use Cloud Scrubbing integrations to auto-divert traffic to upstream providers like Cloudflare Magic Transit, OVH, or Hetzner.

Configuring Rules

Go to Dashboard → Firewall Rules to create and manage rules. Each rule has:

  • Trigger - what incident property fires the rule: attack family, severity level, PPS threshold, or any incident.
  • Action - what the agent runs: a shell command (e.g. iptables -A INPUT -p udp -j DROP), a script path, or a webhook call.
  • Target nodes - apply to all nodes or specific nodes only.
  • Cooldown - minimum minutes between rule executions per node, to avoid repeated firing.

Example: Block UDP floods automatically

# Rule configuration Name: Block UDP on attack Trigger: Attack family = udp_flood Action: iptables -A INPUT -p udp -j DROP Nodes: All Cooldown: 10 minutes

When the agent detects a UDP flood incident, it immediately runs the command, logs the result, and records the action in the audit log.

Supported Trigger Types

TriggerDescriptionExample value
attack_familyMatches incident attack classificationudp_flood, syn_flood, dns_flood
severityMinimum severity levelcritical, high, medium, low
pps_thresholdPeak PPS exceeds value100000
anyFires on every new incident

Supported Actions

Action typeDescription
shell_commandRuns a shell command on the node as root via the agent
scriptExecutes an absolute path script on the node
webhookPOSTs incident JSON to a URL (external integration)
null_routeAdds a local null route for the top source IPs from the PCAP

Safety & Audit

  • All executions are logged in the Audit Log with rule name, node, trigger, and result.
  • Rules respect the cooldown period - a node won't fire the same rule twice within the cooldown window.
  • Rules can be toggled active/inactive without deletion.
  • Only admin and owner roles can create or delete rules. Analysts can view.
Tip: Combine firewall rules with alert channels - the rule handles the immediate response while your team gets notified through PagerDuty, Slack, or SMS to handle the longer-term mitigation with your upstream provider.