Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →

Confidence Scoring

How Flowtriq distinguishes real attacks from traffic anomalies

What Confidence Means

Every incident in Flowtriq receives a confidence score from 0 to 100. This score represents how certain the system is that the detected traffic anomaly is a genuine DDoS attack rather than a legitimate traffic spike. The score is computed at the end of each incident using multiple independent signals.

Higher confidence means more corroborating evidence. A score of 85 means the system found strong evidence across several dimensions (traffic volume, protocol patterns, source analysis, packet characteristics). A score of 35 means the threshold was crossed but few other signals confirmed malicious intent.

How Confidence Is Calculated

The score starts at a base of 30 and adds or subtracts points based on these factors:

SignalPointsLogic
PPS/threshold ratio+0 to +25Adds min(25, ratio * 5). An attack at 5x the threshold gets full +25. An attack barely above threshold gets +5.
Source IP count > 5,000+10Large distributed attack from many sources is unlikely to be legitimate.
Source IP count > 1,000+5Moderate distribution. Fewer points because legitimate CDN or API traffic can have 1,000+ sources.
Protocol dominance > 80%+10Single-protocol floods (95% UDP, 98% SYN-only TCP) are more suspicious than mixed traffic.
Packet size uniformity (std < 50 bytes)+10Attack tools produce packets of identical size. Legitimate traffic has varied packet sizes.
Duration > 60 seconds+5Longer attacks are more likely intentional.
Duration < 15 seconds-10Very short events are often noise (BGP reconvergence, cache flush).
IOC pattern matches+0 to +20Each distinct IOC match adds confidence, capped at +20. Matching a known Mirai payload is strong evidence.
Spoofing detected+10High TTL entropy combined with high source entropy indicates spoofed source IPs.
Botnet detected+10More than 5,000 unique source IPs or a known botnet family signature match.

The final score is clamped to the range 0-100.

Example Calculations

# Example 1: Large UDP amplification attack Base: 30 PPS ratio (8x threshold): +25 # 8 * 5 = 40, capped at 25 Source IPs (45,000): +10 Protocol dominance (97% UDP): +10 Packet size std (12 bytes): +10 Duration (340 seconds): +5 IOC: NTP monlist (15 hits): +15 Spoofing detected: +10 Total: 100 (capped from 115) # Example 2: Brief traffic spike, ambiguous Base: 30 PPS ratio (1.5x threshold): +7 # 1.5 * 5 = 7 Source IPs (800): +0 Protocol dominance (62%): +0 Packet size std (210 bytes): +0 Duration (12 seconds): -10 IOC: none +0 Total: 27

Per-Source-IP Confidence

Beyond the incident-level score, the agent also computes a confidence score for each individual source IP in the top-20 sources. This helps identify which IPs are most likely attackers vs caught-up bystanders:

SignalPoints
Packet contribution > 5% of total+30
Packet contribution > 2% of total+15
SYN-only (TCP with SYN flag, no ACK)+25
Single TTL value across 50+ packets+20
Single protocol only (all TCP, or all UDP)+10
Packet count > 500 in window+15

Confidence Threshold for Mitigation

When automated mitigation is enabled (BGP FlowSpec, RTBH, cloud scrubbing), the system checks the incident confidence score against the confidence threshold before deploying rules. The default threshold is 0.65 (65 out of 100).

Configure this in Dashboard → Scrubbing → Escalation Settings → Confidence Threshold. The value ranges from 0.10 to 1.00.

# Mitigation decision (from lib/mitigation.php) $threshold = $escalation_config['confidence_threshold'] ?? 0.65; if ($incident['confidence'] / 100 < $threshold) { // Skip automated mitigation -- confidence too low log("Skipping mitigation: confidence {$incident['confidence']} below threshold {$threshold}"); return; } // Proceed with FlowSpec / RTBH / scrubbing deployment

Choosing a Threshold

ThresholdTrade-offBest for
0.40 - 0.50Aggressive. Mitigates quickly but may act on ambiguous events.Game servers, real-time services where any disruption is unacceptable
0.60 - 0.70 (default)Balanced. Requires solid evidence before deploying rules.Most production workloads
0.80 - 0.90Conservative. Only mitigates high-confidence attacks.Environments where false-positive mitigation is worse than the attack itself

Using Confidence to Filter Alerts

Escalation policies (see Escalation Policies) can route alerts based on severity, which is derived from confidence and peak PPS. You can also filter incidents in the dashboard by confidence range to focus on confirmed attacks during post-incident review.

Tip: If you are using dry-run mode for mitigation, set the confidence threshold to 0.40 during the evaluation period. This lets you see what the system would mitigate without actually deploying rules, giving you data to calibrate the right threshold for your environment.
ESC