Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →

Attack Classification Reference

Flowtriq classifies attacks using protocol breakdown, TCP flag analysis, port evidence, packet size, IOC matching, and DNS detection. Each incident gets a family and optional subtype.

Attack Families

FamilyTriggerDescription
udp_floodUDP > 45%High-volume UDP floods including amplification and reflection.
syn_floodTCP > 45%, SYN ratio > 50%TCP SYN floods exhausting connection tables.
dns_floodDNS queries + UDP > 40%DNS query floods and amplification. Requires actual DNS content.
icmp_floodICMP > 30%ICMP echo floods and oversized packets.
tcp_floodTCP dominant, SYN < 50%ACK, RST, FIN, PSH+ACK, XMAS, and NULL floods.
http_floodL7 request rateApplication-layer HTTP floods via access log analysis.
multi_vector2+ protocols > 25%Coordinated multi-protocol attacks.
protocol_floodGRE/ESP/IPIP > 30%Non-standard protocol floods.
fragment_floodIP fragments > 50%Fragmentation attacks exhausting reassembly buffers.

UDP Subtypes

SubtypeEvidence
dns_amplificationPort 53, large packets (>512B)
ntp_amplificationPort 123
ssdp_amplificationPort 1900
memcached_amplificationPort 11211
cldap_amplificationPort 389
chargen_amplificationPort 19
snmp_amplificationPort 161
wsd_amplificationPort 3702
mdns_amplificationPort 5353
openvpn_amplificationPort 1194
rdp_amplificationPort 3389
quic_floodUDP port 443
small_packet_floodAvg size < 100B
amplification_genericAvg size > 1200B
volumetricDefault

TCP Subtypes

SubtypeEvidence
syn_ack_floodSYN > 30% and ACK > 30%
ack_floodACK > 60%, SYN < 10%
rst_floodRST > 40%
fin_floodFIN > 40%
psh_ack_floodPSH > 40%, ACK > 30%
xmas_floodFIN, PSH, URG all > 15%
null_floodAll flags near zero

HTTP Subtypes (L7)

SubtypeEvidence
h2_rapid_resetHTTP/2, high 499 status, high RPS/IP (CVE-2023-44487)
h2_settings_floodHTTP/2, RPS/IP > 200, few source IPs
credential_stuffingLogin path patterns
scrapingHigh unique path count
slow_rateLow RPS from many IPs

IOC Tool Detection

Payload matching identifies: Mirai, Gafgyt/Bashlite, Mozi, XorDDoS, Meris, Mantis, Fodcha, LOIC/HOIC, MHDDoS, Slowloris, GoldenEye, and more.

FAQ

Why multi_vector instead of udp_flood?

Multi-vector requires 2+ protocols each > 25%. Normal traffic (65% TCP / 30% UDP) does NOT trigger it because only TCP exceeds 25%. If classified as multi-vector, the attack genuinely uses significant volumes of multiple protocols.

Why udp_flood instead of dns_flood?

dns_flood requires actual DNS query content in packets, not just UDP on port 53. A single DNS lookup during a UDP flood will not reclassify the incident.

ESC