Flowtriq | Real-Time DDoS Detection & Auto-Mitigation for Servers

11 min read Original article ↗

Live Detection & Mitigation

Detect. Mitigate.
Stay online.

Flowtriq detects attacks in under a second, tells you exactly what they are, and stops them automatically. Cloud scrubbing, BGP mitigation, Layer 7 detection, PCAP forensics, automated runbooks, multi-channel alerts. Everything from the first packet to the post-incident report, handled.

14-day free trial From $7.99 / node / month No credit card required

09:41:02Agent started on eth0 · threshold 10,000 PPS

09:41:03Remote config: 290+ IOC patterns loaded

09:41:03L7: tailing /var/log/nginx/access.log

09:44:17PPS=1,204 BPS=42Mbps NORMAL

09:44:18PPS=8,409 BPS=290Mbps ELEVATED

09:44:19PPS=211M BPS=847Gbps ATTACK DETECTED

09:44:19Incident opened · UUID: a3f7c2b1

09:44:19PCAP capture started · IOC: UDP Flood

09:44:20FlowSpec rule deployed · rate-limit UDP/53

09:44:20Alert fired · Discord · Slack · PagerDuty

09:48:02Attack mitigated · 3m43s · PCAP uploaded

09:48:02_

211MPeak PPS

847GbpsPeak BPS

< 1sDetect Time

SYN Flood detected·nyc-edge-01·211M PPS

IOC match·mirai-variant·confidence 94%

Attack resolved·lon-cdn-02·3m 41s duration

DNS Amplification·fra-core-01·Peak 220Gbps

PCAP captured·tok-edge-01·10,000 packets

Botnet detected·syd-relay-03·3,241 source IPs

Baseline updated·ams-proxy-02·p99 = 2,100 PPS

HTTP Flood·sfo-api-01·92,000 req/s

Alert sent·all nodes·Discord · Slack · PD

FlowSpec deployed·fra-core-01·rate-limit UDP/53

Cloud scrub active·lon-cdn-02·Cloudflare Magic Transit

SYN Flood detected·nyc-edge-01·211M PPS

IOC match·mirai-variant·confidence 94%

Attack resolved·lon-cdn-02·3m 41s duration

DNS Amplification·fra-core-01·Peak 220Gbps

PCAP captured·tok-edge-01·10,000 packets

Botnet detected·syd-relay-03·3,241 source IPs

Baseline updated·ams-proxy-02·p99 = 2,100 PPS

HTTP Flood·sfo-api-01·92,000 req/s

Alert sent·all nodes·Discord · Slack · PD

FlowSpec deployed·fra-core-01·rate-limit UDP/53

Cloud scrub active·lon-cdn-02·Cloudflare Magic Transit

Real-Time Response

Attack detected and mitigated in under a second

200K 150K 100K 0 Threshold

DETECTED 211M PPS · UDP Flood

MITIGATED FlowSpec deployed · 0.71s

How It Works

Up and running in four steps

From install to first mitigation in under five minutes. No manual threshold tuning needed.

01 / INSTALL

Deploy the Agent

Two commands. The FTAgent installs on any Linux server, reads packets directly from the NIC, and connects to your Flowtriq workspace.

pip install ftagent
sudo ftagent --setup

02 / DETECT

Detect & Classify

Flowtriq learns your baseline, then detects and classifies attacks (UDP flood, SYN flood, DNS amp, HTTP flood) with confidence scoring and IOC matching.

03 / MITIGATE

Auto-Mitigate

BGP FlowSpec rate-limits, RTBH blackholes, and cloud scrubbing deploy automatically based on escalation policies you define. No manual intervention.

04 / COMMUNICATE

Alert & Communicate

Your team gets alerts on Slack, Discord, or PagerDuty in under a second. Your customers see live status on a branded page. By the time anyone checks, you're already handling it.

Proven in Production

Real attacks. Real infrastructure. Real results.

Features

Built for infrastructure teams
who run real servers.

Purpose-built for NOC teams, hosting providers, game server operators, and infrastructure engineers who need detection, mitigation, and clarity during an attack, not noise.

Sub-Second Detection

L3/L4 volumetric floods caught in under a second via kernel-level PPS sampling. L7 application-layer attacks detected in real-time from access logs. No polling intervals.

Learn more →

Auto-Mitigation

BGP FlowSpec rate-limits, RTBH blackholes, and cloud scrubbing deploy automatically via escalation policies you define.

Learn more →

Attack Classification

Automatically identifies UDP floods, SYN floods, HTTP floods, ICMP floods, DNS amplification, and multi-vector attacks.

Learn more →

Full Packet Capture

PCAP files include pre-attack traffic so you can see the ramp-up. Stream captures to the dashboard during active attacks.

Learn more →

30+ Firewall Rule Types

iptables, nftables, ipset, ufw, firewalld, XDP/eBPF, nginx, apache, fail2ban, and more. Rules generated for 12 firewall platforms including Cisco, Juniper, and MikroTik.

Learn more →

Multi-Channel Alerts

Route alerts to Discord, Slack, PagerDuty, OpsGenie, SMS, email, or webhooks. Digest modes, quiet hours, and per-severity routing.

Learn more →

ISP Abuse Auto-Notify

Automatically send RFC-compliant abuse reports to source network operators when attacks resolve. RDAP contact lookup, rate-limited, fully auditable.

Learn more →

SIEM Integrations

Push incidents to Splunk, Elasticsearch, Microsoft Sentinel, Wazuh, MISP, or any CEF-compatible SIEM. All 6 integrations included.

Learn more →

Cloud Scrubbing

Trigger Cloudflare, OVH, Hetzner, Path.net, Voxility, G-Core, and 8 more providers automatically when attacks escalate.

Learn more →

IDS/IPS Feeds

Live Suricata, Snort, and Zeek threat intelligence feeds generated from cross-network attacker data. Pull via API on any schedule.

Learn more →

Audit + Compliance

Hash-chained audit log, 2FA, IP allowlist, GDPR data export, PDF incident reports, and scheduled weekly/monthly summaries.

Learn more →

Public Status Pages

Customers see real-time server health on a branded page. Incidents auto-publish and auto-resolve. Support tickets drop.

Learn more →

Automated Runbooks

Define response playbooks that execute automatically when specific attack types or thresholds trigger. Chain mitigation actions, notifications, and escalations without manual intervention.

Learn more →

Maintenance Windows

Schedule planned maintenance periods where detection sensitivity adjusts automatically. Prevent false positives during upgrades, migrations, and planned downtime.

Learn more →

Baseline Learning

Flowtriq learns your normal traffic patterns automatically. No manual thresholds to configure. Anomalies are detected by deviation from your actual baseline, not static rules.

Learn more →

Why Flowtriq

Detect before the damage lands

Most DDoS tools sit at one end of the stack. Cloud scrubbers absorb floods. Hardware appliances filter at the edge. Nothing in between does both detection and mitigation cleanly — until Flowtriq.

NetFlow / sFlow polling

Routers export sampled flow data every 1-5 minutes. Your collector aggregates, correlates, and fires an alert. By then, upstream links are saturated and customers are calling.

1-5 minute detection lag

Sampled — misses short bursts

No built-in mitigation

Separate tools for alert + response

Flowtriq real-time

A lightweight agent on each node reads kernel-level traffic stats every second. Detection, classification, mitigation, and alerting all happen before a NetFlow interval even starts.

Under 1 second from attack to mitigation

Every packet — no sampling

BGP FlowSpec + RTBH + cloud scrubbing built in

Detection and mitigation in one platform

Auto-reports abuse to source networks after mitigation

278,202

Threat intel indicators

7

Attack families classified

100%

Packet-level visibility

Coming soon: Flowtriq Shield Managed scrubbing that detects, routes, scrubs, and returns clean traffic. No BGP expertise required. Join the waitlist →

Autonomous Operation

Configure once. It handles the rest.

Set your escalation policy and runbooks during business hours. When an attack hits at 3 AM, Flowtriq detects it, deploys firewall rules, escalates to BGP FlowSpec or cloud scrubbing if needed, updates your status page, and alerts your team. By the time you check Slack, the incident is already resolving.

Automated Runbooks

Chain firewall rules, scrubbing activation, team alerts, and status page updates into playbooks that execute without you.

4-Level Auto-Escalation

Local firewall rules at 100 Mbps, FlowSpec at 500 Mbps, RTBH at 2 Gbps, cloud scrubbing at 5 Gbps. Each level fires automatically.

Self-Updating Status Pages

Customers see live server health at your branded URL. Incidents auto-publish, maintenance windows auto-announce. Zero manual updates.

Inside the Dashboard

See it before you sign up

CRITICALINC-4821

UDP Flood

Confidence 94% · Mirai variant · 2,847 source IPs

211MPeak PPS

847GPeak BPS

0.71sResponse

Auto-mitigating · FlowSpec deployed

ONLINEnyc-edge-01

4,218PPS

148MBPS

99.98%Uptime

New York · eth0 · Agent v2.4.1

#incidents

DDoS Attack Detected

UDP Flood on nyc-edge-01 (203.0.113.5)

Peak211M PPS

FamilyUDP Flood

StatusMitigating

ActionFlowSpec

Today at 09:44 AM

Integrations

Makes your stack attack-aware

Flowtriq pushes the classified attack, confidence score, peak PPS/BPS, affected node, and mitigation taken to the tools your team already uses. Alerts fire within one second of detection.

Cloudflare

Scrubbing + WAF

BGP / ExaBGP

FlowSpec & RTBH

PagerDuty

On-Call Escalation

OpsGenie

Alert Management

Prometheus

Metrics Scraping

Webhooks

Custom Automation

Works With Your Stack

Native integrations for firewalls, panels, and platforms

Deploy on your infrastructure the way it already runs. No middleware, no proxying.

The Ecosystem

Programs, tools, and resources

Flowtriq is more than a detection platform. Free tools, certifications, managed services, partner programs, and open-source projects for the network security community.

Managed Protection

Let our analysts watch your network

24/7 monitoring, active incident response, custom runbooks. Three tiers from $499/mo. No long-term contracts.

See plans →

Free Tools

37 network security tools, no account needed

Risk calculators, PCAP analyzer, BGP FlowSpec builder, iptables generator, attack map, IP threat lookup, and more.

Browse tools →

Free Certifications

Prove your DDoS expertise

Four certification tracks from foundations to incident commander. Verifiable credentials, LinkedIn badges, and a consultant directory listing.

Get certified →

White Label

Run Flowtriq under your own brand

Custom domain, full visual rebrand, branded login page, API tokens, and multi-tenant architecture for MSPs and hosting providers.

Learn more →

Consultant Program

Earn 30% recurring commission for life

Help hosting and ISP clients protect their infrastructure. Affiliate dashboard, directory listing, co-marketing, and certified credential.

Start earning →

Open Source

ftagent-lite and NetHawk, MIT licensed

Standalone DDoS monitor and Go-based traffic analyzer. Free forever, no account needed. Use in labs, coursework, or production.

View on GitHub →

Managed SOC

Who monitors your network at 3 AM?

A junior SOC analyst costs $60K+ per year. Our Respond plan is $17,988/year with 24/7 coverage, incident response, and threshold tuning included.

Watch

$499/mo

Business-hours coverage for teams that want a second set of eyes on their traffic.

  • Mon-Fri, 8 AM - 8 PM ET
  • Alert review and triage
  • Monthly threshold optimization
  • Email incident summaries

Learn More

Respond

$1,499/mo

Round-the-clock on-call analysts who actively respond when attacks hit.

  • 24/7 on-call coverage
  • 15-minute response SLA
  • Active incident response
  • Threshold tuning and escalation
  • Slack or Teams war room

See Respond Plan

Dedicated

$3,999/mo

A named analyst who knows your infrastructure as well as you do.

  • Named analyst assigned to you
  • 5-minute response SLA
  • Custom runbooks and playbooks
  • Quarterly architecture reviews
  • Direct phone escalation

Talk to Sales

Pricing

Simple, honest pricing

Per-node or per-flow-source pricing. No traffic-volume surcharges, no per-alert fees, no seat limits.

Per Node

$7.99/node/mo

billed annually · $9.99 monthly

Install our lightweight agent on each server. Kernel-level detection, zero sampling. Includes built-in flow adapter for that node's traffic.

  • Sub-second DDoS detection
  • Automated mitigation (iptables, nftables, XDP/eBPF, cloud APIs)
  • BGP FlowSpec + RTBH + cloud scrubbing
  • PCAP capture + AI forensics
  • NOC alerts in seconds
  • Full dashboard + REST API
  • Unlimited incidents, users, support

Start Free Trial →

Per Flow Source

from $19/source/mo

Send sFlow, NetFlow, or IPFIX from your routers. Pay per source, not per gigabit. Volume discounts from $39 down to $15/source (annual).

  • sFlow v5, NetFlow v5/v9, IPFIX
  • Unlimited destination IPs
  • All features included
  • Same dashboard, alerting, API
  • Volume pricing (20+ sources = $19/ea)
  • Works standalone or alongside agents

Start Free Trial →

Enterprise

Custom

Volume discounts, dedicated support, extended retention, SSO, and SLA guarantees.

  • Everything in Per Node + Flow Source
  • Volume pricing (50+ nodes)
  • 365-day PCAP + audit retention
  • Dedicated Slack + named CSM
  • SSO / SAML
  • 99.9% uptime SLA

Talk to Sales →

Managed Protection

Don't have a NOC? We'll be yours.

24/7 analyst monitoring, active incident response, custom runbooks. Three tiers from $499/mo. Costs less than a single junior SOC hire.

5-min response (Dedicated) Named analyst No long-term contracts

FAQ

Frequently asked questions

What is Flowtriq?

Flowtriq is a real-time DDoS detection and auto-mitigation platform. It installs as a lightweight agent on your Linux servers, monitors every packet, classifies attack types (SYN flood, UDP amplification, DNS reflection, etc.), and can automatically deploy BGP FlowSpec rules, RTBH, or trigger cloud scrubbing, all within one second of detection.

How does Flowtriq detect DDoS attacks?

Flowtriq monitors network traffic in real time using per-packet inspection. It learns your normal traffic baseline, then detects anomalies like sudden spikes in packets-per-second, unusual protocol distributions, or known attack signatures. It classifies attacks into specific types and alerts your team within one second.

How much does Flowtriq cost?

$7.99 per node per month billed annually, or $9.99 billed monthly. Flow source pricing from $15/source/mo (annual) for router-level sFlow/NetFlow/IPFIX ingestion. No per-seat charges, no traffic-volume surcharges, no per-alert fees. Every plan includes all features. Enterprise and volume pricing available. 14-day free trial, no credit card required.

What alert channels does Flowtriq support?

Discord, Slack, email, SMS, PagerDuty, OpsGenie, and custom webhooks. Alerts fire within one second of detection and include attack type, severity, packets-per-second, and affected node details.

Does Flowtriq offer auto-mitigation?

Yes. Flowtriq can automatically deploy BGP FlowSpec rules, RTBH routing, or trigger cloud scrubbing when an attack is detected. You can configure mitigation rules with thresholds, cooldowns, and specific attack type triggers from the dashboard.

How long does it take to set up?

Under two minutes. Run pip install ftagent, then sudo ftagent --setup with your API key. The agent immediately begins monitoring traffic. You'll see data in your dashboard within seconds of installation.

What is PCAP capture?

When Flowtriq detects an attack, it automatically captures raw packet data (PCAP) for forensic analysis. Download captures from the dashboard, filter by protocol and time range, and use them with tools like Wireshark. Retention is 7 days on standard plans, up to 365 days on enterprise.

Can I monitor multiple servers?

Yes. Install the agent on as many servers as you need and manage them all from one dashboard. Each node is billed independently. You can organize servers into separate workspaces for different teams or clients.

What is the Flowtriq Protected trust badge?

A verified, embeddable badge that hosting providers display on their website, WHMCS order pages, and server listing profiles. It reflects real-time protection status and links to a public verification page where anyone can confirm the provider has active DDoS monitoring. Available to any Flowtriq user with at least one online node.