Cloud Scrubbing
Detect. Divert. Scrub.
Automatically.
Flowtriq detects DDoS attacks in under 1 second, then auto-diverts traffic to upstream scrubbing providers via API. On-demand scrubbing means your traffic routes directly during peacetime. You pay scrubbing providers only during active attacks.
How It Works
Attack detected. Traffic diverted. Scrubbing active. All automatic.
When Flowtriq detects a DDoS attack, it immediately calls your scrubbing provider's API to activate protection. For Cloudflare Magic Transit, this means announcing your /24 prefix via BGP. For OVH, it enables permanent mitigation on the target IP. For Hetzner, it activates your pre-configured firewall rules.
The entire sequence -- detection, classification, API call, and scrubbing activation -- happens without human intervention. When the attack resolves, Flowtriq auto-withdraws the announcement or disables mitigation, restoring normal direct routing.
This on-demand model eliminates the latency penalty and flat monthly cost of always-on scrubbing. Your traffic only touches the scrubbing infrastructure when it needs to.
| Trigger | Automatic on incident detection |
| Providers | Cloudflare Magic Transit, OVH, Hetzner |
| API latency | Typically 1-3 seconds end-to-end |
| Auto-withdraw | On incident resolution |
| Manual override | Announce/Withdraw buttons in dashboard |
| Retry logic | Exponential backoff with alert on failure |
-> Attack classified: UDP Amplification
-> Target: 203.0.113.0/24
09:44:20 Announcing prefix to Cloudflare...
-> API POST /client/v4/ip_prefixes
OK prefix announced (1.2s)
09:44:24 BGP converged
OK scrubbing active
09:52:04 PPS=1,190 incident resolved
-> Withdrawing prefix...
OK normal routing restored
_
Supported Providers
Three scrubbing providers, one integration point
Cloudflare Magic Transit
On-demand BGP prefix advertisement via the Cloudflare API. Flowtriq announces your /24 prefix when an attack is detected and withdraws it when the incident resolves.
- Announce /24 prefix via API on attack detection
- Auto-withdraw when incident resolves
- Pay only during active attacks
- Full Cloudflare edge network for scrubbing capacity
OVH DDoS Protection
Force-enable IP mitigation via the OVH API. Flowtriq triggers permanent mitigation mode on specific IPs when an attack is detected and disables it on resolution.
- Enable permanent mitigation via OVH API
- Auto-disable when incident resolves
- Included free with OVH/SoYouStart/Kimsufi servers
- Per-IP targeting for surgical protection
Hetzner DDoS Protection
Activate pre-configured server firewall rules via the Hetzner Robot API. Define your firewall rules once in Hetzner, and Flowtriq activates them on attack and deactivates on resolution.
- Activate server firewall via Robot API
- Pre-configured rules flip on/off automatically
- Built into all Hetzner dedicated servers
- No additional cost for firewall activation
The Flowtriq Advantage
On-demand scrubbing changes the economics
Scrubbing Without Detection
- Traffic always routed through scrubber (latency penalty)
- Flat monthly cost even when no attacks occur
- No attack classification -- all traffic treated the same
- No forensic data after the attack ends
Flowtriq + On-Demand Scrubbing
- Zero latency during peacetime -- direct routing
- Pay scrubbing only during active attacks
- Classified attack data sent to scrubbing provider
- Full packet capture and forensics for post-mortem
Smart Diversion
Context-aware scrubbing, not blind rerouting
Because Flowtriq classifies the attack before diverting traffic, the API call to your scrubbing provider carries context. Flowtriq knows the attack family (SYN flood, UDP amplification, DNS flood), the target node IP, and the peak PPS/BPS at the moment of detection.
For Cloudflare Magic Transit, this means the correct prefix is announced -- not your entire address space. For OVH, the specific IP under attack gets mitigation enabled, not every IP on the server. For Hetzner, the firewall activates only on the targeted server.
This is fundamentally different from "traffic is high, scrub everything." Flowtriq diverts surgically because it understands what is happening, where it is happening, and how severe it is -- all within the first second.
Classification: UDP Amplification (NTP)
Confidence: 97%
Target IP: 203.0.113.42
Peak PPS: 312,000
Peak BPS: 4.7 Gbps
-> Provider: Cloudflare Magic Transit
-> Action: Announce 203.0.113.0/24
-> Scope: Single prefix (not all prefixes)
Diversion is surgical, not global.
_
Setup
Live in five steps, under ten minutes
Step 1: Add provider credentials
Navigate to Dashboard > Integrations and add your scrubbing provider API credentials. Cloudflare API token, OVH application key, or Hetzner Robot credentials.
Step 2: Configure prefixes and IPs
Specify which IP prefixes (Cloudflare) or server IPs (OVH, Hetzner) should be protected. Map each prefix to the nodes that Flowtriq monitors.
Step 3: Enable auto-divert
Toggle auto-divert on. From this point, Flowtriq handles everything: detection triggers the API call, resolution triggers the withdrawal. No manual steps.
Step 4: Attack detected
Flowtriq detects a DDoS attack, classifies it, and immediately calls your provider's API. Traffic is diverted to scrubbing infrastructure within seconds of threshold crossing.
Step 5: Attack resolves
When the incident resolves, Flowtriq auto-withdraws the BGP announcement or disables mitigation. Normal direct routing resumes. No cleanup required.
FAQ
Common questions about cloud scrubbing
What if the scrubbing API call fails?
Flowtriq retries with exponential backoff. If all retries fail, an alert fires to your configured notification channels (Discord, Slack, PagerDuty, email, SMS) so you can manually intervene. The incident remains open and all detection data continues recording regardless of the API call outcome.
Does this add latency during normal operation?
No. On-demand scrubbing means traffic routes directly to your server during peacetime. There is no tunnel, no proxy, and no extra hop. Scrubbing infrastructure only handles your traffic during active attacks. Once the attack resolves and Flowtriq withdraws the announcement, direct routing resumes.
Can I use Cloudflare Magic Transit with Flowtriq if I'm already always-on?
Yes. If you're running Magic Transit in always-on mode, Flowtriq still provides sub-second detection, attack classification, packet capture, and forensics that Cloudflare does not offer natively. The integration is most valuable for on-demand users who want to avoid the always-on latency and cost, but always-on users benefit from the detection and analytics layer.
What Cloudflare permissions does the API token need?
The API token requires two permission scopes: Account:IP Prefixes:Edit and Account:Magic Transit:Edit. These allow Flowtriq to announce and withdraw your IP prefixes. No other permissions are needed -- Flowtriq does not access your DNS, WAF rules, or any other Cloudflare resources through this integration.
Is OVH mitigation free?
Yes. OVH includes anti-DDoS protection with all dedicated servers, including SoYouStart and Kimsufi lines. Flowtriq automates enabling the "permanent mitigation" mode via the OVH API, which forces all traffic through OVH's scrubbing infrastructure for the targeted IP. There is no additional charge from OVH for this.
Can I trigger scrubbing manually from the dashboard?
Yes. Each configured scrubbing integration has manual Announce and Withdraw buttons on the Integrations page. This is useful for testing your setup before relying on auto-divert, or for situations where you want to pre-emptively enable scrubbing before an expected attack.
Related Features