Back to Blog

We sell Flowtriq as a server-level DDoS detection product, so this post directly describes our approach and where it fits relative to Cloudflare. We are not positioning Cloudflare as a bad product. It is an excellent product for the use cases it was designed for.

Why Cloudflare doesn't cover everything

Cloudflare is a reverse proxy. When you put a website behind Cloudflare, you change your DNS records to point at Cloudflare's network. All HTTP and HTTPS traffic flows through their infrastructure, where it gets inspected, filtered, cached, and then forwarded to your origin server. For websites, this model works extremely well. Cloudflare absorbs volumetric attacks, filters application-layer abuse, and caches static assets closer to your users. Millions of websites rely on it for good reason.

The limitation is structural, not a flaw. Cloudflare's proxy is built for HTTP and HTTPS. If your service communicates over raw TCP, UDP, ICMP, or any protocol that is not HTTP, the standard Cloudflare proxy does not apply. Game servers running Minecraft (UDP on port 25565), FiveM (UDP on port 30120), or Rust (UDP on port 28015) send and receive game state data in custom UDP formats that cannot be proxied through an HTTP reverse proxy. VoIP and SIP services are latency-sensitive and cannot tolerate an additional network hop through a third-party proxy. Mail servers need their origin IP visible in headers for SPF and DKIM validation to work correctly.

Cloudflare does offer Spectrum, which extends proxy protection to arbitrary TCP and UDP ports. Spectrum is a real product that works, but the pricing is designed for enterprise use cases. On Business plans, Spectrum charges per gigabyte of traffic at $1/GB or more, and it still requires routing all traffic through Cloudflare's network. For a game server handling 500 GB of traffic per month, Spectrum alone could cost $500/month before any other Cloudflare charges. For many operators, that is not a viable path. And even with Spectrum, you lose origin IP visibility since all inbound traffic arrives from Cloudflare's IP ranges.

Server-level detection: the alternative model

Server-level DDoS detection takes a fundamentally different approach. Instead of sitting between the internet and your server as a proxy, a lightweight agent runs directly on the server itself. The agent monitors all inbound traffic across every port and every protocol. It does not need DNS changes because it is not intercepting traffic. It does not need a proxy because it is observing traffic that is already arriving at the server. Your network configuration, DNS records, and IP addresses stay exactly as they are.

Flowtriq's agent monitors traffic at the kernel level using eBPF, which means it sees every packet across TCP, UDP, ICMP, and any other protocol hitting the server. Detection happens in 1-2 seconds. When the agent identifies an attack, it automatically classifies the vector (SYN flood, UDP amplification, DNS reflection, NTP amplification, ICMP flood, and dozens of other patterns), captures a PCAP sample for forensic analysis, and fires alerts to whatever channels you have configured. The entire detection and classification pipeline runs locally on the server with no dependency on external infrastructure.

This model works on anything running Linux. Game servers, mail servers, VoIP gateways, database servers, API backends, DNS servers, custom applications on non-standard ports. If it receives network traffic, the agent can monitor it. There is no list of "supported protocols" because the agent operates at the packet level, below the application layer.

What you get without a proxy

  • Real-time detection across all protocols. TCP, UDP, ICMP, GRE, and anything else. No protocol restrictions, no port restrictions. If packets arrive at the server, they are monitored.
  • Per-server dynamic baselines. The agent learns normal traffic patterns for each individual server and flags deviations. This is not a static threshold you set and hope is right. Baselines adapt to your traffic profile over time.
  • Attack classification. Every detected attack is automatically classified by vector: SYN flood, UDP amplification, DNS reflection, NTP amplification, SSDP, memcached, ICMP flood, and more. You know what is hitting you, not just that something is.
  • PCAP forensics on every attack. Automatic packet captures during attacks give you the raw data for post-incident analysis, upstream provider communication, or law enforcement reports.
  • Multi-channel alerting. Slack, Discord, PagerDuty, SMS, email, and generic webhooks. Configure as many channels as you need with per-channel severity thresholds.
  • BGP blackhole integration. Automated RTBH triggering through BGP sessions with your upstream providers for volumetric attacks that exceed your port capacity.
  • $9.99/node/month with a 14-day free trial. No bandwidth tiers, no per-user dashboard fees, no activation charges.

What you don't get without a proxy

Honesty matters more than a sales pitch. Server-level detection is not a replacement for every capability a proxy provides. Here is what Flowtriq does not do:

  • No inline traffic filtering. Flowtriq detects and classifies attacks but does not drop packets inline. The agent is an observer, not a firewall. When an attack is detected, Flowtriq triggers automated responses (BGP blackhole, FlowSpec rules, webhook-driven upstream API calls), but the actual packet filtering happens upstream or at the network edge, not on the server itself.
  • No Layer 7 WAF. SQL injection filtering, XSS prevention, and application-layer request inspection are a different product category. Flowtriq is a DDoS detection and response platform, not a web application firewall.
  • No CDN or caching. A reverse proxy like Cloudflare caches static content at edge locations worldwide. Server-level detection does not interact with content delivery at all.
  • No scrubbing without upstream integration. If you need attack traffic dropped before it reaches your server's network port, you need either inline hardware, a scrubbing center, or an upstream provider with filtering capabilities. Flowtriq can trigger these systems automatically via BGP or webhooks, but it does not replace them.

For many operators, the combination of fast detection, automatic classification, forensic capture, and automated upstream triggering is exactly what they need. The server stays informed, the team gets alerted immediately, and mitigation actions fire without manual intervention. But if your use case requires every malicious packet to be silently dropped before it reaches your NIC, you need inline infrastructure in addition to detection.

How the approaches compare

Capability Cloudflare Pro Cloudflare Spectrum Flowtriq
Protocol coverage HTTP/HTTPS only TCP and UDP All protocols
DNS changes required Yes Yes No
Origin IP visible No (CF IPs) No (CF IPs) Yes
Detection latency Inline (real-time) Inline (real-time) 1-2 seconds
PCAP forensics No No Yes, every attack
Game server support No Yes (per-GB cost) Yes (flat rate)
Inline filtering Yes Yes No (triggers upstream)
Price model Per-domain tier Per-GB bandwidth Per-node flat rate
Starting price $20/mo ~$5/mo + $1/GB $9.99/node/mo
Self-hosted No (SaaS proxy) No (SaaS proxy) Agent on your server

These are not competing products in the way that two reverse proxies would compete. Cloudflare and Flowtriq solve different problems for different infrastructure. Some operators use both: Cloudflare in front of their HTTP services and Flowtriq on their non-HTTP servers.

Protect any server, any protocol. 14-day free trial.

$9.99/node/month. Server-level DDoS detection for game servers, mail servers, VoIP, and anything else running Linux. No DNS changes, no proxy, no traffic rerouting. Install in 60 seconds.

Start Free Trial →

Common use cases

Game servers (Minecraft, FiveM, Rust)

Game servers are the most common use case for DDoS protection outside of Cloudflare. These services communicate almost entirely over UDP on non-standard ports. Minecraft uses port 25565, FiveM uses port 30120, Rust uses port 28015. None of these can be proxied through Cloudflare's standard HTTP proxy, and Spectrum pricing at $1/GB makes it impractical for game servers that can generate hundreds of gigabytes of traffic monthly.

Game servers are also disproportionately targeted. Competitive gaming communities, rival server operators, and disgruntled players all have motivation to launch attacks. Flowtriq detects these attacks within 1-2 seconds, classifies the vector, and triggers automated mitigation. Server operators see exactly what happened, when, and how large the attack was, which matters when communicating with their player community about downtime.

Mail and SMTP servers

Mail servers present a unique challenge for proxy-based protection. SMTP relies on the origin IP address for authentication mechanisms like SPF and DKIM. When all inbound traffic arrives from a proxy's IP range, SPF records break because the sending IP no longer matches the expected origin. Running a mail server behind Cloudflare's proxy is not practical without significant changes to your mail authentication configuration. Server-level detection monitors SMTP traffic without interfering with mail delivery, IP reputation, or authentication headers.

VoIP and SIP services

Voice over IP is latency-sensitive by definition. Adding a proxy hop between callers and your SIP infrastructure introduces latency that degrades call quality. VoIP also uses UDP (RTP for media, SIP for signaling) on a range of ports, making HTTP proxy protection irrelevant. DDoS attacks against VoIP infrastructure are particularly damaging because even a small volumetric attack can make the service unusable. Flowtriq's agent monitors all VoIP-related ports and detects attacks before call quality degradation becomes noticeable to end users.

Custom services and APIs on non-standard ports

Many infrastructure services run on non-standard ports or use custom protocols. Database replication, internal APIs, monitoring endpoints, message queues, and custom application protocols all fall outside what an HTTP reverse proxy can protect. If you run any service that listens on a port and accepts connections, Flowtriq's agent monitors it. There is no port list to configure and no protocol to specify. The agent monitors everything hitting the server, and dynamic baselines adapt to whatever your normal traffic looks like.

Frequently asked questions

Can I use DDoS protection without changing my DNS?
Yes. Server-level DDoS detection agents like Flowtriq run directly on your server and monitor traffic locally. There are no DNS changes, no proxy configuration, and no traffic rerouting required. You install the agent, it begins monitoring all inbound traffic across every port and protocol, and detection starts within minutes. Your DNS records, IP addresses, and traffic paths remain exactly as they are.
Does Flowtriq protect game servers from DDoS?
Flowtriq detects DDoS attacks against game servers running any protocol, including UDP-heavy games like Minecraft, FiveM, and Rust. The agent monitors all traffic on all ports, classifies attack vectors in 1-2 seconds, captures PCAPs for forensics, and triggers alerts and automated mitigation responses. Since it runs on the server itself, there is no proxy hop that would add latency to gameplay.
What's the difference between Cloudflare and server-level DDoS detection?
Cloudflare is a reverse proxy that sits between the internet and your server. All traffic routes through Cloudflare's network, where it is inspected and filtered before reaching your origin. This works well for HTTP/HTTPS websites but requires DNS changes, hides your origin IP, and does not support non-HTTP protocols without Cloudflare Spectrum. Server-level detection runs an agent directly on the server, monitors all protocols without any traffic rerouting, and detects attacks in 1-2 seconds. It does not filter traffic inline but triggers automated responses like BGP blackhole, FlowSpec rules, or upstream webhook integrations.