Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →

Exposure Scanner Guide

Comprehensive attack surface audit for every node

What the Scanner Checks

The Exposure Scanner runs 20 categories of checks against each node's public IP address. Checks are non-intrusive and designed to identify DDoS attack surface vulnerabilities, not penetrate the system.

#CategoryWhat it checks
1Open PortsTCP/UDP port scan for unnecessary listening services
2AmplificationUDP services exploitable for reflection/amplification (DNS, NTP, SSDP, Memcached, Chargen, SNMP)
3DNS ConfigurationOpen resolver, zone transfer, DNSSEC status
4HTTP HeadersMissing security headers (X-Frame-Options, CSP, HSTS, etc.)
5SSL/TLSCertificate validity, protocol version, cipher strength, chain completeness
6Proxy/CDNWhether the IP is behind a CDN or reverse proxy (Cloudflare, AWS CloudFront, Akamai)
7Network ServicesSNMP community strings, SSDP, mDNS, NTP mode 6/7
8IP ReputationDNSBL lookups across multiple blocklists
9Shodan InternetDBPassive recon from Shodan's free InternetDB (no API key required)
10Rate LimitingHTTP rate-limit header detection (X-RateLimit-*, Retry-After)
11SSH SecuritySSH protocol version, key exchange algorithms, cipher audit, banner analysis
12Service BannersVersion detection on open ports (identifies outdated software)
13Email SecuritySPF, DMARC, DKIM records via DNS; CAA records
14Firewall DetectionFiltered vs closed port heuristics (are dropped packets visible?)
15DNS ExtendedDNSSEC validation chain, CAA records for certificate authority
16Web DiscoverySensitive paths (/.env, /.git/, /server-status), tech fingerprinting, directory listing
17Web SecurityCookie flags (Secure, HttpOnly, SameSite), CORS policy, info disclosure, debug pages
18Database ExposureUnauthenticated access to MySQL, MongoDB, Elasticsearch, Redis
19FTP SecurityAnonymous login, bounce attack susceptibility
20CVE ChecksKnown vulnerability fingerprinting from service versions and banners

Running a Scan

Go to Dashboard → Exposure Check. Click any node card to select it, then click Run Scan. The scan runs in the background and takes 60-120 seconds depending on the number of open ports.

Progress is shown as a percentage bar with the current check category displayed below it. Results appear automatically when the scan completes.

Understanding Results

Each scan produces:

  • Score (0-100): Higher is better. Represents the overall security posture of the node.
  • Grade (A-F): Derived from the score: A (90-100), B (75-89), C (60-74), D (40-59), F (0-39).
  • Findings: Individual check results, each with a severity level and actionable recommendation.

Severity Levels

SeverityMeaningExample
CriticalImmediately exploitable for DDoS amplification or data exposureOpen DNS resolver, unauthenticated Redis, anonymous FTP
WarningIncreases attack surface but not immediately exploitableOutdated TLS version, missing HSTS header, weak SSH ciphers
InfoInformational finding, no immediate riskServer version detected in banner, no rate limiting headers
PassCheck passed with no issuesValid SSL certificate, no open amplification vectors

Remediation Guidance

Every critical and warning finding includes a Recommendation section with specific remediation steps. For example, if the scanner detects an open DNS resolver on port 53:

CRITICAL: Open DNS resolver detected on port 53 Description: This server responds to DNS queries from any source IP. Attackers can use it as a reflector/amplifier for DNS amplification attacks. Recommendation: Restrict DNS to authoritative-only or add ACLs: - BIND: Add "allow-recursion { localhost; };" to named.conf - Unbound: Set "access-control: 0.0.0.0/0 refuse" in unbound.conf - Firewall: Block inbound UDP/53 from untrusted sources

Scheduling Recurring Scans

The auto-scan interval is configurable per workspace. Go to Dashboard → Exposure Check and use the Auto-Scan dropdown in the top-right corner:

IntervalValue
Daily1
Every 3 days3
Weekly (default)7
Every 2 weeks14
Monthly30

Recurring scans are run by a background cron job. Results appear on each node card with grade badges, and stale scans (older than 7 days) are flagged with an orange "Stale" badge.

API Access to Scan Results

Scan results are available via the dashboard API. All endpoints require authentication.

Get Latest Results for All Nodes

GET /api/dash/exposure.php?action=latest

Returns all nodes with their most recent scan grade, score, and finding counts.

Get Detailed Findings for a Scan

GET /api/dash/exposure.php?action=results&scan_id=42

Returns the full scan record plus all findings (category, severity, title, description, recommendation).

Get Scan History for a Node

GET /api/dash/exposure.php?action=history&node_id=7

Returns the last 20 scans for a node with grade, score, and timestamps. Use this to track security posture over time.

Trigger a New Scan

POST /api/dash/exposure.php?action=scan Content-Type: application/json {"node_id": 7}

Returns the new scan ID. Poll action=status&scan_id=X for progress updates (0-100%).

Exporting Reports

Click Export Report on any completed scan to generate a printable HTML report with all findings, severity badges, and remediation guidance. Use your browser's print function to save as PDF.

ESC