Use Case
Defend Your Network
from the Edge Inward
Edge nodes are your network's front line. They are the PoP servers, CDN endpoints, reverse proxies, and anycast nodes that sit between the internet and your core infrastructure. When a DDoS attack hits, they absorb the first impact. Flowtriq turns every edge node into an intelligent detection and mitigation point — detecting floods in under 1 second and dropping attack traffic before it reaches your origin.
The Concept
What is edge node defense?
Edge node defense is a strategy where DDoS detection and mitigation run at the perimeter of your network, on the nodes closest to the internet. Instead of relying on a centralized scrubbing center or detecting attacks only at the origin server, you push detection outward to every edge location in your infrastructure.
These edge nodes include PoP (Point of Presence) servers at colocation facilities, CDN cache servers, anycast DNS endpoints, reverse proxy and load balancer instances, VPN concentrators, and border routers. Any server or appliance that directly faces the public internet is an edge node.
The advantage is clear: by detecting at the edge, you identify attacks before they traverse your internal network. Mitigation happens at the point of entry, dropping malicious traffic before it consumes backbone bandwidth, saturates internal links, or reaches your origin servers and databases.
↓ ↓ ↓
[ Edge PoP ] [ Edge PoP ] [ Edge PoP ]
FTAgent FTAgent FTAgent
detect+drop detect+drop detect+drop
↓ ↓ ↓
only clean traffic
[ Backbone / Core ]
↓
[ Origin Servers ]
Attack traffic never reaches origin.
The Problem
Centralized detection leaves edge nodes blind
Most DDoS protection architectures funnel all traffic through a centralized scrubbing center or detect attacks at the origin. This means your edge nodes — the first devices to see attack traffic — have no local awareness that they are under attack. They dutifully forward flood traffic deeper into your network.
For distributed networks with multiple PoPs, this creates a dangerous gap. An attacker targeting a single PoP can saturate that location's uplink before centralized detection even registers the spike. Meanwhile, other PoPs are operating normally, making network-wide averages look fine while one location is drowning.
Edge nodes need their own local intelligence. They need to detect attacks at their specific location, take immediate local action, and report back to a central dashboard for coordinated response. That is exactly what Flowtriq provides.
PoP-1 AMS PPS=4,200 Normal
PoP-2 FRA PPS=3,800 Normal
PoP-3 NYC PPS=892,000 FLOOD
PoP-4 LAX PPS=5,100 Normal
Centralized average: 226,275 PPS
Centralized threshold: 500,000 PPS
Result: ATTACK NOT DETECTED
PoP-3 uplink: saturated at 10 Gbps
NYC users: complete outage
Time to detect: never (below global threshold)
How Flowtriq Helps
Every edge node becomes a detection point
Deploy the FTAgent on every edge node in your network. Each agent independently monitors its own traffic, maintains its own baseline, and detects anomalies at that specific location. An attack targeting your NYC PoP triggers detection at NYC in under 1 second, regardless of what is happening at your other locations.
When detection fires, the edge node takes immediate local action. Kernel-level firewall rules drop attack traffic before it crosses your backbone. Simultaneously, the agent can trigger BGP FlowSpec rules at the local transit provider, push RTBH blackholes upstream, or activate cloud scrubbing for that specific prefix.
All incidents from all edge nodes flow into a single Flowtriq dashboard. Your NOC sees a unified view of your entire edge infrastructure, with real-time maps showing which locations are under attack, what attack types are hitting each PoP, and whether auto-mitigation has resolved the issue or escalation is needed.
PoP-1 AMS PPS=4,200 Normal
PoP-2 FRA PPS=3,800 Normal
PoP-3 NYC PPS=892,000 THRESHOLD
PoP-4 LAX PPS=5,100 Normal
T+0.8s PoP-3 incident opened
T+0.9s Classified: UDP Flood · 96%
T+1.0s nftables drop on PoP-3
T+1.1s FlowSpec → NYC transit
T+1.2s Alert → Slack #noc-alerts
PoP-3 mitigated. Other PoPs unaffected.
NYC users: zero downtime.
_
Key Features
Built for distributed edge infrastructure
Independent per-node detection
Each edge node runs its own detection loop with its own baseline. A PoP in Frankfurt has different normal traffic than one in Tokyo. Flowtriq learns each location's pattern independently, so thresholds are always calibrated to local reality, not a network-wide average.
Local mitigation, instant response
When an edge node detects an attack, it does not wait for a central controller. The FTAgent applies kernel-level firewall rules on that node immediately, dropping attack packets before they hit the application or get forwarded further into your network. Response time: under 1 second.
Unified global dashboard
All edge nodes report to one Flowtriq workspace. See every PoP, every incident, and every mitigation action in a single view. Filter by location, attack type, or severity. Your NOC gets a global map of your edge health without juggling per-site monitoring tools.
Multi-layer escalation
Edge defense does not stop at local firewall rules. Flowtriq's escalation chain moves from kernel-level drops to BGP FlowSpec at the local transit, then RTBH blackholing, then upstream cloud scrubbing. Each layer activates automatically if the previous one is insufficient. Rules auto-withdraw when the attack ends.
Per-PoP analytics
Track traffic trends, attack frequency, and mitigation effectiveness per edge location. Identify which PoPs are targeted most frequently, which attack vectors are common at each location, and whether your capacity at a given edge site is sufficient for current threat levels.
Edge-level PCAP forensics
Capture packets at the edge node where the attack arrives, not deep inside your network where traffic has already been NATted, load-balanced, or stripped of useful headers. The pre-attack ring buffer gives you forensic evidence from before the flood even started.
Where It Applies
Types of edge nodes Flowtriq protects
PoP servers at colocation facilities
Your PoP servers are the physical presence of your network in each metro. They handle local traffic termination, caching, and peering. A DDoS flood at one PoP should not take down that entire location. Flowtriq detects and mitigates locally, keeping the PoP operational.
CDN cache and origin-shield nodes
CDN edge servers cache content close to users. When an attacker floods a cache node, it cannot serve legitimate requests and falls back to origin, amplifying the load on your infrastructure. Flowtriq drops the flood at the cache node, keeping the CDN layer effective.
Reverse proxies and load balancers
Nginx, HAProxy, and Envoy instances sitting at your network edge are prime DDoS targets. They are publicly reachable, handle connection state, and can be overwhelmed by SYN floods or HTTP floods. Flowtriq detects the anomaly at the proxy level and drops traffic before connection tables overflow.
Anycast DNS and VPN endpoints
Anycast endpoints are designed to absorb distributed traffic, but a focused attack on one anycast instance can take it offline, shifting all traffic to remaining instances and potentially cascading. Flowtriq on each anycast node prevents this cascading failure by mitigating locally.
By the Numbers
Edge defense in practice
Before & After
Centralized vs. edge-first defense
Centralized Detection Only
- Single-PoP attacks hidden by network-wide averages
- Edge nodes forward flood traffic blindly to core
- Minutes of latency before scrubbing center activates
- Backbone bandwidth consumed by attack traffic
- No per-location forensic data for analysis
- Cascading failures when one PoP goes down
Edge-First with Flowtriq
- Per-node detection catches localized attacks instantly
- Edge nodes drop attack traffic at the kernel level
- Mitigation in under 1 second, no scrubbing center needed
- Clean traffic only on backbone links
- PCAP capture at each edge node for forensics
- Isolated mitigation prevents cascading failures
Getting Started
Deploy edge defense across your network
Roll out Flowtriq to every edge node using your existing configuration management. One workspace, one dashboard, unlimited nodes.
Create your workspace
Sign up and create a single workspace for your entire edge infrastructure. Name nodes by location and function (e.g., "pop-nyc-01", "cdn-fra-cache-03") so your NOC can identify them instantly.
Deploy the FTAgent to all edge nodes
Use Ansible, Puppet, Chef, or any config management tool to install the agent across your fleet. The agent installs with a single pip command and runs as a systemd service. Roll out to 100 nodes in minutes.
Configure per-PoP alert routing
Route alerts based on location. NYC incidents go to the East Coast on-call. European PoP alerts go to the EU NOC Slack channel. Use escalation policies to page senior engineers for attacks that exceed auto-mitigation capacity.
Enable auto-mitigation per node
Define mitigation policies per edge node or globally. Enable kernel-level firewall rules for immediate local defense. Configure BGP FlowSpec and cloud scrubbing as escalation tiers for attacks that exceed local capacity.
Monitor from a single dashboard
All edge nodes report to one dashboard. Watch real-time traffic across your entire edge. Dynamic baselines calibrate within 5 minutes per node. Review per-PoP analytics to understand attack patterns and capacity needs.
FAQ
Common questions about edge node defense
How many edge nodes can I monitor?
There is no limit. Monitor 5 PoPs or 500 edge nodes from a single workspace. Each node runs the lightweight FTAgent independently and reports to the same dashboard. Pricing is $9.99 per node per month, or $7.99 with annual billing.
Does each edge node need its own configuration?
No. The FTAgent auto-detects interfaces and learns baselines automatically. You can deploy the same configuration to every edge node. For nodes with special traffic patterns (e.g., a PoP that handles DNS anycast), you can optionally set manual thresholds.
What if an attack targets multiple PoPs simultaneously?
Each node detects and mitigates independently. A coordinated attack across 5 PoPs triggers 5 separate incidents, each with its own classification, mitigation rules, and alert notifications. Your dashboard shows all active incidents in a unified view so your NOC can prioritize response.
Can I replace my scrubbing center with edge defense?
For many operators, yes. Edge-level detection combined with BGP FlowSpec and local firewall rules handles most volumetric attacks without routing traffic through a scrubbing center. For extremely large floods exceeding your total edge capacity, Flowtriq can still trigger cloud scrubbing as a final escalation tier. The two approaches are complementary.
Do I still need detection at the origin?
We recommend it for defense in depth. Edge nodes catch volumetric floods. Origin-level agents catch application-layer attacks (slow loris, HTTP floods) that may slip through the edge at low PPS but still stress your application. Both report to the same dashboard.
Related Use Cases