Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 7 attack families with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications Hackathon Sponsorships
Research & Guides
Server Nerd Comic NEW Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All Use Cases → Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense Proxy Providers VPN Providers
Gaming & Entertainment
Game Server Hosting Game Studios Esports Platforms iGaming & Sportsbooks
Business & Emerging
SaaS Platforms E-Commerce Financial Services Compliance VoIP & Cloud Calling GPU & AI Cloud
Docs/Dynamic Baselines

Dynamic Baselines

Automatic threshold learning that adapts to your traffic patterns

How It Works

Flowtriq uses a 300-sample sliding window with p99 percentile calculation to learn what "normal" looks like for each node. Instead of setting a fixed PPS threshold, the system continuously computes what traffic should look like based on recent history.

Sliding-Window p99

  • Window size: 300 samples (one sample per second, covering ~5 minutes of traffic)
  • Recalculation interval: Every 10 ticks (~10 seconds)
  • Detection threshold: 3x the p99 PPS (configurable per node)

An anomaly is flagged when current traffic exceeds 3x the p99 value from the sliding window. Because the window continuously slides forward, the baseline naturally adapts to gradual legitimate traffic increases. A sudden attack will exceed the p99 threshold while normal growth shifts the window upward over time.

Convergence

  • 5 minutes: The 300-sample window is fully populated and the p99 baseline reflects the node's actual traffic pattern
  • Bootstrap phase: During the first 5 minutes after agent startup, detection falls back to conservative static thresholds based on the interface line rate

What Gets Baselined

The detection engine computes independent baselines for:

  • Packets per second (PPS) for volumetric floods
  • Bytes per second (BPS) for amplification attacks with large packets
  • New connections per second derived from SYN rates
  • Protocol ratio (TCP/UDP/ICMP) to catch protocol-shift attacks

An alert fires when any single metric crosses its threshold.

Configuration

Baselines are configured per-node from Dashboard → Nodes → [Node] or workspace-wide from Dashboard → Scrubbing → Advanced.

SettingDescriptionDefault
ModeStatic (fixed threshold) or Dynamic (auto-learning)Dynamic
Fast multiplierHow many times above the fast baseline to trigger3x
Slow multiplierHow many times above the slow baseline to trigger5x
Learning windowHours of history used for baseline computation (24-720)168 (7 days)
Static thresholdFixed PPS threshold (only used in Static mode)Based on interface line rate

Per-Host Threshold Overrides

For critical infrastructure that needs tighter or looser thresholds, configure per-IP overrides from Dashboard → Scrubbing → Per-Host. Each override lets you set custom escalation thresholds at every level (local, FlowSpec, RTBH, scrubbing) and optionally enable geo lockdown for that IP.

Handling Scheduled Events

  • Maintenance windows: Schedule windows during which alerting is suppressed. Baselines continue learning so they adapt to the new traffic level.
  • Sensitivity profiles: Game servers with known spiky traffic can use a 5x fast multiplier instead of 3x. Database servers with predictable traffic can use 2x for earlier detection.
Tip: If you are seeing false positives after deploying the agent, increase the fast multiplier to 4x or 5x and wait 24 hours for the slow baseline to converge. Most false positives resolve within the first day as the baselines learn your traffic patterns.