Features
Detect. Mitigate. Communicate.
In under one second.
A complete DDoS response platform - from 1-second detection and automatic firewall rules to public status pages that keep your customers informed in real time.
Detection
1-Second Traffic Detection
The moment your traffic crosses the threshold, Flowtriq knows. Packets per second (PPS) and bandwidth (BPS) are sampled every second from kernel-level network stats (/proc/net/dev), not every 60 seconds like traditional monitoring.
Normal monitoring polls every minute. That means up to 60 seconds of downtime before detection. Flowtriq samples every single second.
- Packets + bandwidth read from kernel-level stats every second
- Protocol breakdown: TCP/UDP/ICMP
- Connection count tracked for SYN flood detection
- 2,000-event retry queue for offline resilience
09:44:18 PPS=8,409 ELEVATED
09:44:19 PPS=47,821 ⚠ ATTACK
09:44:19 → Incident opened · 0.8s latency
_
PCAP Forensics
Evidence from before the attack started.
Flowtriq runs a 500-packet pre-attack ring buffer at all times. When detection fires, that buffer is the opening section of your PCAP, capturing traffic from before the threshold crossed.
Most capture tools start recording when detection fires. By then you've missed the first wave. Flowtriq captures it.
- 500-packet pre-attack ring buffer
- Up to 10,000 packets per incident
- Auto-upload on attack resolution
- 15-minute signed download URL
- 7-day retention (365-day on Enterprise)
SIZE 14.2 MB
PKTS 10,000 (cap reached)
pre-buffer: 500 pkts ← pre-threshold
capture: 9,500 pkts during attack
→ Uploaded. URL valid 15 min.
_
Classification
UDP flood, SYN flood, or something worse?
Flowtriq tells you the attack family, confidence score, and whether source IPs are spoofed (faked), the moment detection fires. No waiting for a postmortem.
Knowing that traffic is high is useless. Knowing it's a memcached amplification attack from a botnet with spoofed IPs tells you exactly who to call.
- 8 attack families classified
- Confidence scoring 0-100%
- IP spoofing detection via TTL patterns (which reveal faked source addresses)
- Botnet detection (300+ source IPs)
- Multi-vector attack detection
Subtype memcached Amplification
Confidence 91%
Spoofing Detected (TTL entropy: high)
Src IPs 3,241 distinct → botnet
_
Alerts
Alerts where your team actually lives.
Seven notification channels fire within one second of detection. Rich embeds on Discord and Slack. PagerDuty incidents with automatic duplicate prevention. Cryptographically signed webhooks for custom integrations.
Alert noise kills response speed. Escalation policies route critical attacks to on-call, low-severity to a review channel. Maintenance windows suppress alerts when you don't need them.
- Discord and Slack rich embeds
- PagerDuty + OpsGenie integration
- SMS and email delivery
- Cryptographically signed custom webhooks
- Escalation policies with per-step delay
- Maintenance windows per node or workspace
Peak: 47,821 PPS · 1.7 Gbps
✓ Discord #incidents
✓ Slack #noc-alerts
✓ PagerDuty inc #P-38421
✓ Webhook HMAC OK
_
Baselines
Zero tuning. Learns your normal.
Flowtriq learns your server's normal traffic baseline (99th percentile) over 5 minutes and sets the detection threshold to 3x that baseline: automatically, per node, with continuous updates.
Your game server and your database have different normal traffic. Flowtriq builds separate baselines per node and keeps updating them as your traffic changes.
- 300-sample rolling window (5 minutes)
- Threshold = 3x your 99th percentile per node
- Continuous updates every 30 seconds
- Manual override always available
- Visible in Console: avg, p95, p99, threshold
Avg PPS 1,204
p95 PPS 2,890
p99 PPS 4,102
Threshold 12,306 PPS (3× p99)
_
Node-Level Firewall Rules
Per-server firewall rules that fire before you wake up.
Flowtriq executes firewall commands directly on each node when an attack is detected — your first line of defense at the server level. Choose from 22 rule types across iptables, ipset, nftables, ufw, tc, null routing, and fail2ban.
For network-wide protection, Flowtriq also offers BGP Mitigation (FlowSpec, RTBH) and Cloud Scrubbing (Cloudflare, OVH, Hetzner) that operate at the network edge.
- 22 firewall action types across 7 tool groups
- Triggers: threshold crossing, severity level, or attack family
- Live command preview - see exactly what will execute
- Auto-undo on incident resolution
- Inline risk warnings for broad rules (e.g. blocking a whole protocol)
- Full audit trail of every rule execution
action: iptables rate-limit src
Command preview:
iptables -A INPUT -s $FT_SRC_IP \
-m limit --limit 100/s \
-j ACCEPT
✓ Rule applied · 09:44:20
_
Cloud Scrubbing
Detect. Divert. Scrub. Automatically.
Flowtriq detects attacks in under 1 second and auto-diverts traffic to upstream scrubbing providers via API. When the attack resolves, direct routing resumes. You pay scrubbing only during active attacks.
Because Flowtriq classifies the attack type, knows the target node, and measures peak PPS/BPS, the API call carries context - the right prefix gets announced, the right IP gets mitigation.
- Cloudflare Magic Transit - on-demand BGP prefix advertisement
- OVH DDoS Protection - force-enable permanent mitigation via API
- Hetzner Robot - activate pre-configured firewall rules on attack
- Auto-withdraw on incident resolution
- Manual Activate/Withdraw buttons in dashboard
- $0 cost during peacetime with on-demand scrubbing
09:44:18 peak: 2.4 Gbps / 1.8M pps
→ announcing prefix to Cloudflare...
✓ BGP prefix advertised (0.8s)
✓ traffic diverted to scrubbing
09:52:04 incident resolved
→ withdrawing prefix...
✓ direct routing restored
_
BGP Mitigation Engine
Network-level mitigation. Deployed in seconds.
Flowtriq detects DDoS attacks and auto-deploys BGP FlowSpec rules, RTBH blackhole routes, and rate-limiting announcements to your BGP speakers. Queue-based dispatch with aggregation, deduplication, and automatic escalation.
Connect ExaBGP, GoBGP, Cloudflare, or any webhook endpoint. The engine selects the optimal mitigation intent based on attack type and automatically escalates from rate-limiting to full blackhole as volume increases.
- 4 escalation levels: rate-limit → FlowSpec drop → RTBH blackhole → cloud scrubbing
- ExaBGP, GoBGP, Cloudflare, and webhook adapters
- Event aggregation -- multi-node attacks collapse to one rule
- Sliding-window rate limiting prevents rule storms
- TTL-based auto-expiry and manual withdraw controls
- Full audit log with exact adapter payloads
09:44:19 peak: 3.2 Gbps > RTBH threshold
→ intent: blackhole 203.0.113.5/32
→ announcing to ExaBGP...
✓ route announced (0.4s)
09:49:19 TTL expired (5m)
→ withdrawing blackhole...
✓ route withdrawn
_
Public Status Pages
Your customers see status. Not alerts on X.
Create branded public status pages that show the real-time health of your nodes - no Flowtriq login needed for visitors. Share one URL and let customers check status themselves.
Status reflects live detection data: online, elevated traffic, under attack, or offline. Uptime bars show the last 30 days at a glance.
- Unique public URL:
flowtriq.com/s/your-slug - Custom accent color - matches your brand
- Per-node status pills with live detection data
- 30-day uptime bar history per node
- 7-day incident history with expandable threat details
- Toggle Public / Private without deleting the page
● All Systems Operational
nyc-edge-01 Operational
fra-cdn-02 Operational
sgp-api-03 Under Attack
30d uptime ████████████████░
_
All Features
The complete set
1-Second Detection
Know the instant traffic spikes. Checked every second.
Learn more →Attack Classification
Identifies 8 attack types with confidence scores.
Learn more →PCAP Capture
Full packet capture with pre-attack buffer and AI analysis.
Learn more →Multi-Channel Alerts
Discord, Slack, PagerDuty, SMS, email, webhooks.
Learn more →Dynamic Baselines
Learns your normal traffic and auto-sets thresholds.
Learn more →Real-Time Analytics
Live dashboards, historical trends, traffic breakdowns.
Learn more →Threat Intelligence
IP reputation, geo-enrichment, known attacker feeds.
Learn more →Threat Pattern Matching
Detects known attack signatures like Mirai and memcached.
Learn more →Multi-Node
Monitor all your servers from one workspace.
Learn more →Maintenance Windows
Suppress alerts during planned downtime.
Learn more →Audit Log
Tamper-proof log of every action and event.
Learn more →Public Status Pages
Share branded status pages with customers showing live node health and uptime.
Learn more →Node Firewall Rules
Per-server iptables, nftables, and firewall rules that fire automatically on attack detection.
Learn more →Cloud Scrubbing
Auto-divert traffic to Cloudflare, OVH, or Hetzner scrubbing on attack.
Learn more →BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole, and rate-limiting via BGP.
Learn more →White Label
Fully rebrand the dashboard with your logo, colors, fonts, and custom domain.
Learn more →Works With
Integrates with your existing stack
Alerts, mitigation actions, and IP reporting fire automatically when attacks are detected.