Use Case
DDoS Protection Built for
Hosting Providers
Your customers expect uptime. When a DDoS attack hits one tenant, collateral damage spreads across shared infrastructure, abuse tickets pile up, and your NOC scrambles to respond. Flowtriq detects attacks in under 1 second, auto-mitigates with a multi-layer defense chain — kernel-level firewall rules, BGP FlowSpec, RTBH, and upstream cloud scrubbing — and gives your team a single pane of glass across every node in your fleet.
The Problem
DDoS attacks are the #1 operational headache for hosting companies
A single customer getting hit with a volumetric flood can saturate shared uplinks and degrade service for every tenant on the same hypervisor, rack, or subnet. Your abuse team spends hours identifying the target, contacting the customer, and applying manual null routes or firewall rules.
Traditional enterprise DDoS solutions cost tens of thousands per month and require dedicated appliances or BGP-based scrubbing centers. They are built for large networks, not for hosting providers who need per-node visibility at scale without breaking the budget.
Meanwhile, your customers blame you for the downtime, open tickets demanding answers, and threaten to leave. You need a solution that detects attacks instantly, responds automatically, and keeps your operations team focused on growth instead of firefighting.
14:00:45 Shared uplink saturated at 10Gbps
14:01:12 12 other tenants impacted
14:03:00 First abuse ticket opened
14:08:00 NOC begins manual investigation
14:15:00 Target IP identified
14:18:00 Manual null route applied
14:18:00 Total downtime: 18 minutes
Tickets opened: 14
Staff hours: 2.5
Customers lost: 3
How Flowtriq Helps
Detect, mitigate, and resolve in seconds, not minutes
The FTAgent runs on each node in your fleet, reading kernel-level network statistics every second. When traffic crosses a dynamic threshold, the agent opens an incident, classifies the attack, and fires firewall rules, all within the same second the threshold is crossed.
Firewall rules drop malicious traffic at the kernel level using iptables or nftables before it reaches the application. Once the attack subsides, rules are automatically withdrawn so legitimate traffic flows normally. No manual intervention required.
Your NOC sees every node, every incident, and every mitigation action in a single dashboard. Customers with read-only access can see their own node status without opening a support ticket. The result: fewer tickets, faster resolution, and happier customers.
14:00:01 PPS=89,400 BPS=3.2Gbps THRESHOLD
T+0.1s Incident opened · UDP Flood · 97%
T+0.3s Auto-mitigation · nftables rule applied
T+0.5s Alerts fired · Slack · PagerDuty
T+0.6s Customer notified · status page updated
14:00:02 PPS=2,340 BPS=91Mbps MITIGATED
14:12:00 Attack subsides · rules withdrawn
Downtime: 0 seconds
Tickets opened: 0
_
Key Features
Purpose-built for hosting infrastructure
Multi-tenant monitoring
One dashboard for your entire fleet. Monitor hundreds of customer nodes from a single workspace. Group nodes by rack, datacenter, or customer. Role-based access lets your NOC, sales team, and customers each see exactly what they need.
Auto-mitigation
When an attack is detected, Flowtriq's 4-level auto-escalation chain activates. First, kernel-level firewall rules via iptables or nftables drop attack traffic instantly. If the attack exceeds local capacity, BGP FlowSpec filters traffic at the network edge. For larger floods, RTBH black-holes the targeted prefix, and cloud scrubbing absorbs volumetric attacks upstream. Rules auto-withdraw when the attack ends at every level.
Cloud scrubbing & BGP integration
Flowtriq integrates natively with upstream scrubbing providers including Cloudflare Magic Transit, OVH VAC, Hetzner DDoS Protection, Path.net, and Voxility. Configure your provider credentials once and Flowtriq triggers cloud scrubbing automatically as the highest escalation tier. It also works alongside existing scrubbing infrastructure you already have in place, adding per-node visibility and local mitigation for attacks that slip through.
Customer-facing status pages
Give customers read-only access to their own node status and incident history. They can see real-time traffic metrics, active incidents, and mitigation status without opening a support ticket. Reduce ticket volume by up to 90% with self-service visibility.
PCAP forensics
Every incident includes a full packet capture starting from pre-attack traffic. Download PCAPs for forensic analysis, share them with upstream providers for blackhole requests, or use them to justify abuse policy enforcement against problematic tenants.
Flexible alerting & escalation
Route alerts to the right team at the right time. Send Slack notifications for minor incidents, page your NOC for critical attacks, and email customers with status updates. Escalation policies ensure nothing falls through the cracks during off-hours.
Getting Started
Deploy across your fleet in minutes
Rolling out Flowtriq to your hosting infrastructure takes less time than investigating a single DDoS incident manually. Here is how it works from signup to full coverage.
Create your workspace
Sign up at flowtriq.com and create a workspace for your hosting company. Add your NOC team members with admin access. Invite customers later with read-only roles. The 7-day free trial starts immediately with no credit card required.
Install the FTAgent on each node
The agent installs with a single curl command and runs as a lightweight systemd service. It reads kernel-level network statistics with near-zero CPU overhead. Deploy it across your fleet with Ansible, Puppet, Chef, or any configuration management tool you already use.
Configure alert channels
Connect Flowtriq to your existing incident response workflow. Send alerts to Slack, Discord, PagerDuty, OpsGenie, email, SMS, or custom webhooks. Set up escalation policies so the right people get notified based on severity and time of day.
Enable firewall rules
Define mitigation policies per node or globally. Choose which attack types trigger automatic firewall rules, set rate limits, and configure how long rules persist after an attack ends. Start with conservative settings and tune as you see real traffic patterns.
Monitor and optimize
Within hours, Flowtriq learns your normal traffic baselines and sets dynamic thresholds automatically. Review the analytics dashboard to understand traffic patterns, tune thresholds for specific nodes, and generate reports for your customers and management team.
By the Numbers
The impact on your hosting operations
Before & After
How Flowtriq transforms your DDoS response
Without Flowtriq
- Attacks detected minutes after they start
- Manual investigation to identify target IP
- Collateral damage across shared infrastructure
- NOC applies null routes or manual firewall rules
- Customers open tickets demanding updates
- No forensic evidence for post-incident review
- Staff spends 2-3 hours per incident on average
With Flowtriq
- Detection in under 1 second per node
- Automatic attack classification with confidence score
- Per-node mitigation isolates blast radius
- Firewall rules applied and withdrawn automatically
- Customers see status in real time, no ticket needed
- Full PCAP capture for forensic analysis
- Zero staff hours per mitigated incident
Pricing
Simple per-node pricing. No surprises.
Unlimited team seats included. Monitor 1 node or 1,000 nodes at the same price per node. No bandwidth fees, no overage charges, no contracts. Cancel anytime.
Compatibility
Works with your existing stack
The FTAgent runs on any Linux server with kernel 3.10 or later. It supports all major distributions including Ubuntu, Debian, CentOS, Rocky Linux, AlmaLinux, and Fedora. Whether you run bare-metal dedicated servers, KVM/QEMU virtual machines, or LXC containers, the agent works the same way.
For virtualization hosts, install the agent on the hypervisor to monitor aggregate traffic, or deploy it inside individual VMs for per-tenant visibility. Both approaches work, and you can mix them across your infrastructure depending on your monitoring needs.
Flowtriq integrates with your existing tools. Export incident data via webhooks to your SIEM or ticketing system. Use the REST API to automate provisioning when new customers sign up. Build custom dashboards by pulling metrics from the Flowtriq API into Grafana or your own monitoring stack.
• Ubuntu 18.04, 20.04, 22.04, 24.04
• Debian 10, 11, 12
• CentOS 7, 8, 9 Stream
• Rocky Linux 8, 9
• AlmaLinux 8, 9
Firewalls
• iptables / ip6tables
• nftables
• ufw (Uncomplicated Firewall)
Virtualization
• KVM / QEMU / libvirt
• Proxmox VE
• LXC / LXD containers
• VMware ESXi (guest agent)
FAQ
Common questions from hosting providers
How many nodes can I monitor?
There is no limit on the number of nodes. You can monitor 5 nodes or 5,000 nodes from a single workspace. Each node runs the lightweight FTAgent and reports to the same dashboard. Pricing scales linearly at $9.99 per node per month (or $7.99 with annual billing).
Can I give customers read-only access?
Yes. Flowtriq supports role-based access with four levels: owner, admin, analyst, and read-only. You can invite your customers as read-only users so they can view their own node metrics and incident history without the ability to modify settings or access other tenants.
Does it work with my existing firewall?
Yes. The FTAgent supports iptables, nftables, and ufw for local firewall management. Auto-mitigation rules are applied as dedicated chains so they never conflict with your existing rules. Flowtriq also integrates with cloud-level DDoS protection from providers like Cloudflare, OVH, and Hetzner.
What happens during a multi-tenant attack?
Each node runs its own independent detection loop. If multiple nodes are targeted simultaneously, each one detects and mitigates its own attack independently. Per-node detection isolates the blast radius so a flood hitting one customer does not affect detection or mitigation on adjacent nodes.
Related Use Cases