Documentation | Flowtriq DDoS Detection API & Agent Setup
Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications NEW
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services Compliance NEW
Docs/Dynamic Baselines

Dynamic Baselines

Automatic threshold learning that adapts to your traffic patterns

How It Works

Flowtriq uses exponentially weighted moving averages (EWMA) with two windows to learn what "normal" looks like for each node. Instead of setting a fixed PPS threshold, the system continuously computes what traffic should look like based on recent history.

Dual-Window EWMA

  • Fast window (alpha = 0.3): Reacts within minutes. Catches sudden deviations from the current traffic pattern.
  • Slow window (alpha = 0.05): Takes hours to shift. Provides a stable reference for the longer-term norm.

An anomaly is flagged when current traffic exceeds the fast baseline by a configurable multiplier (default 3x) and the slow baseline by a separate multiplier (default 5x). This means a gradual legitimate traffic increase shifts the fast baseline upward and avoids false alerts, while a sudden attack exceeds both simultaneously.

Convergence

  • 5 minutes: Fast baseline is within 15% of the true traffic mean
  • 30 minutes: Slow baseline has converged sufficiently for robust detection
  • Bootstrap phase: During the first 5 minutes after agent startup, detection falls back to conservative static thresholds based on the interface line rate

What Gets Baselined

The detection engine computes independent baselines for:

  • Packets per second (PPS) for volumetric floods
  • Bytes per second (BPS) for amplification attacks with large packets
  • New connections per second derived from SYN rates
  • Protocol ratio (TCP/UDP/ICMP) to catch protocol-shift attacks

An alert fires when any single metric crosses its threshold.

Configuration

Baselines are configured per-node from Dashboard → Nodes → [Node] or workspace-wide from Dashboard → Scrubbing → Advanced.

SettingDescriptionDefault
ModeStatic (fixed threshold) or Dynamic (auto-learning)Dynamic
Fast multiplierHow many times above the fast baseline to trigger3x
Slow multiplierHow many times above the slow baseline to trigger5x
Learning windowHours of history used for baseline computation (24-720)168 (7 days)
Static thresholdFixed PPS threshold (only used in Static mode)Based on interface line rate

Per-Host Threshold Overrides

For critical infrastructure that needs tighter or looser thresholds, configure per-IP overrides from Dashboard → Scrubbing → Per-Host. Each override lets you set custom escalation thresholds at every level (local, FlowSpec, RTBH, scrubbing) and optionally enable geo lockdown for that IP.

Handling Scheduled Events

  • Maintenance windows: Schedule windows during which alerting is suppressed. Baselines continue learning so they adapt to the new traffic level.
  • Sensitivity profiles: Game servers with known spiky traffic can use a 5x fast multiplier instead of 3x. Database servers with predictable traffic can use 2x for earlier detection.
Tip: If you are seeing false positives after deploying the agent, increase the fast multiplier to 4x or 5x and wait 24 hours for the slow baseline to converge. Most false positives resolve within the first day as the baselines learn your traffic patterns.