BGP Mitigation Engine
Network-level mitigation.
Deployed in seconds.
Flowtriq detects DDoS attacks and automatically deploys BGP FlowSpec rules, RTBH blackhole routes, and rate-limiting announcements to your BGP speakers. Queue-based dispatch with intelligent aggregation, deduplication, and automatic escalation from rate-limiting to full blackhole as attacks intensify.
How It Works
Attack detected. Rule deployed. Traffic mitigated. Automatically.
When Flowtriq detects a DDoS attack, the mitigation engine classifies the threat, selects the optimal response intent (rate-limit, drop specific protocol/port, or blackhole), and deploys the corresponding BGP rule to your configured adapter -- all within seconds.
Events are queued and aggregated: if multiple nodes report the same attack simultaneously, they're collapsed into a single rule. A sliding-window rate limiter prevents rule storms. When the attack subsides, rules are automatically withdrawn after their TTL expires.
The engine supports automatic escalation: a moderate flood starts with FlowSpec rate-limiting, but if traffic exceeds higher thresholds, it escalates to RTBH blackholing or upstream cloud scrubbing without manual intervention.
| Dispatch | Queue-based with aggregation window |
| Adapters | ExaBGP, GoBGP, Cloudflare, Webhook |
| Intents | Rate-limit, drop protocol, drop port, blackhole |
| Deduplication | Same target+intent = skip (with distributed locks) |
| Rate limiting | Configurable max rules/minute per tenant |
| Rule TTL | Configurable (default 5 min), auto-expire |
| Max rules | 200 concurrent per tenant |
| Retry | Exponential backoff for failed announcements |
→ Attack classified: UDP Amplification (NTP)
→ Target: 203.0.113.5 port 123
09:44:19 Evaluating escalation...
→ 3.2 Gbps > RTBH threshold (2 Gbps)
→ Intent: blackhole
09:44:20 Announcing to ExaBGP...
→ announce route 203.0.113.5/32
next-hop self community [65535:666]
OK rule announced (0.4s)
09:49:20 TTL expired (5 min)
→ Withdrawing blackhole...
OK route withdrawn
_
Escalation Policy
Four escalation levels. Zero manual intervention.
The engine automatically selects the right mitigation level based on attack volume. As attacks intensify, mitigation escalates. As they subside, less aggressive rules take over.
Local Rate-Limit
FlowSpec rate-limiting rules that throttle attack traffic without dropping legitimate packets. Applied via BGP FlowSpec to your border routers.
FlowSpec Drop
Targeted FlowSpec rules that drop specific protocols, ports, or source IPs. Surgical mitigation that preserves legitimate traffic to the target.
RTBH Blackhole
Remote Triggered Blackhole routing. Announces the target IP with community 65535:666, causing upstream routers to null-route all traffic to that IP.
Cloud Scrubbing
Diverts traffic to upstream scrubbing providers like Cloudflare Magic Transit. For volumetric attacks that exceed your local capacity.
BGP Adapters
Four adapter types for any network architecture
Connect Flowtriq to your existing BGP infrastructure. Each adapter handles the protocol-specific details of announcing and withdrawing mitigation rules.
ExaBGP
The most popular open-source BGP route injector. Flowtriq sends JSON commands over HTTP to ExaBGP's API, which announces FlowSpec and unicast routes to your routers.
- FlowSpec rate-limiting with configurable rate values
- Protocol-specific and port-specific drop rules
- RTBH blackhole with community 65535:666
- JSON API over HTTP -- no BGP session management needed
- Full payload logged for audit trail
GoBGP
High-performance BGP implementation written in Go. Flowtriq uses GoBGP's gRPC/REST API to inject FlowSpec and unicast routes programmatically.
- Same FlowSpec capabilities as ExaBGP
- gRPC API for low-latency announcements
- Built for high-throughput environments
- Ideal for large-scale deployments with many peers
- Supports all 4 intent types
Cloudflare
Direct integration with Cloudflare's Magic Transit API. Flowtriq announces and withdraws your /24 prefix to divert traffic through Cloudflare's global scrubbing network.
- BGP prefix advertisement via Cloudflare API
- On-demand scrubbing -- $0 during peacetime
- Global anycast scrubbing network
- Auto-withdraw on incident resolution
- Works with Magic Transit On Demand
Webhook
Generic webhook adapter for custom integrations. Flowtriq sends structured JSON payloads to your endpoint for each announce/withdraw event, letting you integrate with any system.
- Custom HTTP endpoint with auth token
- Configurable headers and timeout
- Full attack context in JSON payload
- Build custom integrations with any network gear
- Ideal for proprietary SDN controllers or APIs
Event Pipeline
Queue-based dispatch with built-in safety guards
Every attack event goes through a multi-stage pipeline before a BGP rule is announced. This prevents rule storms, duplicate announcements, and ensures the right level of mitigation is applied.
1. Event Queue
Attack events from all nodes are queued with priority scores based on severity (critical=90, high=70, medium=50, low=30).
2. Aggregation
Events targeting the same IP+protocol+port+family within the aggregation window are collapsed into a single record. Multi-node attacks = one rule.
3. Validation & Intent
Target IP is validated (public IPv4 only, no private/reserved ranges). Attack type determines the intent: rate-limit, drop protocol, drop port, or blackhole.
4. Escalation
Attack bandwidth determines the escalation level. Exceeding higher thresholds automatically upgrades the intent from rate-limiting to blackhole.
5. Rate Limiting
Sliding-window rate limiter ensures no more than N rules per minute per tenant. Prevents rule storms during distributed attacks.
6. Announce
The BGP rule is dispatched to the best available adapter (scored by capability match and test status). Full payload is logged for audit.
Comparison
Manual BGP mitigation vs. Flowtriq
Manual / Script-Based
- SSH into router, manually type BGP commands
- Minutes to hours response time at 3 AM
- No aggregation -- duplicate rules from multiple alerts
- Forget to withdraw? Blackhole persists for hours
- No escalation -- same response for 100 Mbps and 10 Gbps
- No audit trail of what was announced and when
- No rate limiting -- script storms can overwhelm routers
Flowtriq BGP Mitigation
- Detect attack, classify, announce rule -- all automatic
- Sub-2-second response time, 24/7
- Event aggregation collapses multi-node attacks into one rule
- TTL-based auto-expiry withdraws rules automatically
- 4-level escalation from rate-limit to cloud scrubbing
- Every announce/withdraw logged with full adapter payload
- Sliding-window rate limiter prevents rule storms
FAQ
Common questions
What BGP speakers do I need?
Flowtriq works with any BGP speaker that exposes an API for route injection. The built-in adapters support ExaBGP (JSON/HTTP API) and GoBGP (gRPC/REST API). For other BGP implementations, use the webhook adapter to receive structured JSON payloads and translate them into your speaker's native format.
Does the engine support IPv6?
The current engine validates and mitigates IPv4 targets only. IPv6 FlowSpec support is on the roadmap. For IPv6 attacks, use firewall rules or cloud scrubbing integrations.
What happens if my adapter goes offline?
Failed announcements are retried with exponential backoff by the lifecycle cron job (runs every minute). The adapter's last test status is tracked, and the engine scores adapters by health -- if you have multiple adapters, it prefers the one that passed its last connectivity test.
Can I create rules manually?
Yes. The Manual Rule tab in the dashboard lets you create BGP rules on demand -- specify the target IP, intent type, protocol, port, rate limit, TTL, and escalation level. Useful for pre-emptive mitigation or testing your adapter setup.
How does this relate to cloud scrubbing?
BGP mitigation and cloud scrubbing are complementary. BGP FlowSpec/RTBH handles mitigation at your network edge (your routers), while cloud scrubbing diverts traffic upstream before it reaches your infrastructure. Flowtriq's escalation policy can automatically escalate from BGP to cloud scrubbing when attack volume exceeds your link capacity.
What safety guards are in place?
Multiple layers: private/reserved IPs are rejected, /24 is the minimum prefix, rate limiting caps rules per minute, cooldown periods prevent flapping, a global cap of 200 active rules prevents runaway scenarios, and all operations use distributed MySQL locks to prevent duplicate announcements even in multi-process deployments.
Related Features
Works best with
Deploy network-level mitigation in minutes
Connect your BGP speakers, configure escalation thresholds, and let Flowtriq handle the rest. Free 7-day trial, no credit card required.