ISP Use Case
Detect DDoS before it hits
your backbone.
ISPs need to see attacks at the edge before congestion propagates upstream. Flowtriq monitors traffic per-node across every POP, detects volumetric attacks in under a second, and triggers automated mitigation — from local firewall rules through BGP FlowSpec and RTBH to upstream cloud scrubbing — before peering links saturate and downstream customers feel the impact.
The Problem
One customer's attack becomes everyone's outage.
ISPs carry traffic for thousands of customers across shared peering links and transit ports. When a volumetric DDoS attack targets a single customer, the flood doesn't just affect that customer. It saturates your upstream links, fills interface buffers, and degrades service for every customer sharing that path.
Traditional flow-based tools like NetFlow and sFlow rely on sampled data exported every 1 to 5 minutes. By the time your collector aggregates the flows, correlates the anomaly, and fires an alert, your NOC is already fielding calls from angry customers. The peering link has been congested for minutes.
Flowtriq takes a different approach. A lightweight agent on each edge node reads kernel-level traffic stats every second. The moment traffic crosses dynamic thresholds, detection fires, alerts reach your NOC, and automated scrubbing triggers engage — all in under a second.
| Customer base | Thousands sharing upstream links |
| Attack target | Single customer IP or prefix |
| Collateral damage | Peering saturation, packet loss for all |
| NetFlow detection | 1-5 minute delay (too slow) |
| Flowtriq detection | < 1 second (real-time) |
| Response | Auto BGP scrubbing + null-route |
Network Visibility
Edge-to-scrubber in under a second.
Each edge router or Linux-based forwarding node runs the FTAgent. Traffic is measured every second across all interfaces. When a DDoS attack is detected targeting Customer X, Flowtriq's 4-level auto-escalation kicks in: local firewall rules drop obvious attack traffic, BGP FlowSpec filters surgically at the network edge, RTBH diverts targeted prefixes if needed, and cloud scrubbing absorbs volumetric floods upstream.
Each escalation level is triggered automatically based on attack severity. FlowSpec filters can block specific source ports or protocols without affecting other traffic. RTBH and cloud scrubbing handle the heaviest floods. Your backbone never sees the attack. Other customers never notice.
The entire sequence — from first anomalous packet to scrubbing activation — happens without human intervention. Your NOC gets an alert with full context: attack type, peak PPS/BPS, affected prefix, and scrubbing status.
[Edge-POP-1] ── FTAgent OK PPS: 4,201
[Edge-POP-2] ── FTAgent OK PPS: 3,887
[Edge-POP-3] ── FTAgent ALERT PPS: 892,401
[Edge-POP-4] ── FTAgent OK PPS: 5,102
[Edge-POP-5] ── FTAgent OK PPS: 2,944
INCIDENT on POP-3
→ Target: 203.0.113.0/24 (Customer X)
→ Attack: UDP Amplification · DNS · 4.2 Gbps
→ Vectors: DNS 68% · NTP 22% · CLDAP 10%
→ Action: BGP announce → scrubbing center
→ Status: Clean traffic returning via GRE
Backbone impact: none
_
Key Features for ISPs
Built for carrier-scale networks
Every feature is designed for the realities of ISP operations: distributed POPs, shared infrastructure, customer-facing SLAs, and NOC teams that need answers in seconds, not minutes.
Edge-node monitoring
Deploy the FTAgent on every POP, edge server, or Linux-based router. Each node reports independently with its own thresholds and baselines. Monitor your entire footprint from a single dashboard with per-node drill-down.
Sub-second detection
Kernel-level stats are read every second. Threshold comparisons fire instantly. No waiting for 1-5 minute NetFlow export intervals. You know about attacks before your transit providers do.
BGP FlowSpec, RTBH & Cloud Scrubbing
Flowtriq supports a full BGP mitigation stack. BGP FlowSpec rules filter traffic surgically at the router level. RTBH announcements black-hole targeted prefixes when needed. Cloud scrubbing via Cloudflare Magic Transit, Path.net, or Voxility absorbs volumetric floods upstream. Each tier triggers automatically based on attack severity.
Traffic analytics
Per-node PPS and BPS metrics with historical baselines. Identify traffic growth trends, capacity planning data, and anomalous patterns across your network. Exportable reports for customer SLA reviews.
Attack classification
Automatically identify amplification vectors: DNS, NTP, CLDAP, memcached, SSDP, and more. Protocol-level breakdown with confidence scores helps your NOC prioritize response and build detailed customer incident reports.
PCAP forensics
Capture attack packet samples automatically on detection. The 500-packet pre-attack ring buffer preserves evidence from before the threshold was crossed. Generate forensic reports for customers and law enforcement.
Comparison
NetFlow polling vs. Flowtriq real-time
Flow-based detection was state of the art in 2010. In 2026, attacks ramp to multi-gigabit in seconds. Your detection needs to keep pace.
NetFlow / sFlow polling
- Sampled data exported every 1-5 minutes
- Collector aggregation adds additional delay
- Detection latency: 2-10 minutes typical
- Sampling ratios (1:1000+) miss small attacks
- No automated mitigation triggers
- No packet-level forensic capture
- Requires dedicated flow collector infrastructure
- Expensive commercial licenses per flow source
Flowtriq real-time monitoring
- Kernel stats read every 1 second, no sampling
- Detection fires instantly on threshold crossing
- Detection latency: under 1 second end-to-end
- Exact byte and packet counts from the kernel
- Auto-mitigation: BGP scrubbing, null-route, webhook
- PCAP capture with pre-attack ring buffer
- Lightweight agent, no external collector needed
- Simple per-node pricing with volume discounts
Deployment
How ISPs deploy Flowtriq
From sign-up to full-network monitoring in under an hour. No collector infrastructure to provision, no vendor appliances to rack.
Step 1: Create your workspace
Sign up at flowtriq.com and create a workspace for your ISP. Invite NOC team members with appropriate roles (admin, analyst, or read-only). The 7-day free trial starts immediately with no credit card.
Step 2: Install FTAgent on edge nodes
Two commands per node. The agent auto-registers with your workspace on first heartbeat. Deploy across every POP, edge router, and peering point. Each node appears in your dashboard within seconds.
Step 3: Configure alert channels
Connect your NOC's Discord, Slack, PagerDuty, or email. Set up escalation policies so critical alerts reach the right team. Configure firewall rules for BGP scrubbing or RTBH triggers.
Step 4: Baselines auto-learn
Within minutes, Flowtriq builds dynamic baselines from your normal traffic patterns. Thresholds are set at 3x the 99th percentile by default. Override per-node if needed for high-traffic POPs.
Step 5: You're protected
Every node is now monitored every second. Attacks are detected, classified, captured, and mitigated automatically. Your NOC sees everything in a single multi-node dashboard.
Built for Scale
Lightweight enough for every edge node in your network.
ISPs worry about adding monitoring overhead to production routers and edge servers. The FTAgent is designed for exactly this environment. It reads data the kernel already computes. There is no packet inspection, no kernel module, no eBPF program, and no firewall rules.
CPU usage is typically under 0.1%. Memory footprint is under 20 MB. The agent runs on any Linux box — from a Raspberry Pi at a remote POP to a 128-core edge router. It installs in two commands and auto-registers with your Flowtriq workspace.
If connectivity to the Flowtriq cloud is interrupted, the agent continues monitoring locally and queues up to 2,000 events for delivery when the connection is restored. Your detection never stops, even during the attack itself.
| CPU overhead | < 0.1% on any modern server |
| Memory footprint | < 20 MB resident |
| Kernel module | Not required |
| Packet inspection | None (kernel stats only) |
| eBPF | Not required |
| Firewall rules | None installed |
| Installation | 2 commands (curl + systemctl) |
| Offline resilience | 2,000-event retry queue |
| OS requirement | Any Linux with /proc/net/dev |
| Auto-registration | Node appears in dashboard on first heartbeat |
FAQ
Common questions from ISP teams
Can Flowtriq replace our existing NetFlow collector?
Flowtriq complements your existing flow infrastructure rather than replacing it. NetFlow and sFlow are valuable for billing, capacity planning, and traffic engineering. Flowtriq is purpose-built for real-time DDoS detection and automated response. Many ISPs run both: NetFlow for business analytics, Flowtriq for sub-second threat detection.
Does the agent impact router or server performance?
No. The FTAgent uses less than 0.1% CPU and under 20 MB of memory. It reads kernel-level network statistics that the operating system already computes. There is no packet capture during normal operation, no kernel module to load, and no firewall rules to install. It is lighter than most log shippers.
Can we trigger RTBH (Remote Triggered Black Hole) automatically?
Yes. Flowtriq's firewall rules support null-route actions that can be used to trigger RTBH via your existing BGP community setup. When an attack is detected, the agent can execute a configured null-route command that announces the attacked prefix with the appropriate community string to your route reflectors.
How does pricing work at ISP scale?
Flowtriq is priced at $9.99 per node per month, or $7.99 per node per month on an annual plan. For ISPs with larger deployments, volume discounts are available. Contact our sales team to discuss pricing for your network size. Every plan includes a 7-day free trial with no credit card required.
Related Use Cases