Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Integrations 18
Learn
Free Tools 37 Free Certifications State of DDoS 2026 REPORT DDoS Protection Landscape Buyer's Guide PDF Hackathon Sponsorships DDoS Protection Facts
Company
About Us Become a Consultant 30% Partners White Label Managed Protection Contact Us System Status
Open Source
ftagent-lite MIT NetHawk MIT
Legal
Security Trust Center Terms & Privacy
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →

Understanding Incidents

An incident is created whenever Flowtriq detects traffic that exceeds the detection threshold on a monitored node. This guide covers everything you can do with incidents, from the list view to deep-dive forensics.

Incident List View

Navigate to Incidents in the sidebar to see all incidents. The list view provides:

Stat Cards

At the top of the page, summary counts are displayed: Total incidents, Active, Resolved, and False Positives.

Filtering

You can filter the incident list by multiple criteria:

FilterOptions
StatusAll, Active, Resolved, False Positive
SeverityAll, Critical, High, Medium, Low
Date RangeFrom date and To date pickers
SearchSearches across node name, attack family, title, UUID, attack tool, and attack subtype

Sorting

Click any column header to sort. Sortable columns include: Started, Severity, Peak PPS, Duration, Attack Family, and Node Name. Default sort is by start time, newest first.

Pagination

The list displays 50 incidents per page with pagination controls at the bottom.

CSV Export

Add ?export=csv to the incidents URL (or use the Export button) to download all matching incidents as a CSV file (up to 10,000 rows). The export respects your current filters.

Bulk Actions

Select multiple incidents using the checkboxes, then use the bulk action toolbar to:

  • Bulk Resolve - Mark all selected active incidents as resolved
  • Bulk False Positive - Mark all selected as false positives, with an optional reason field

Bulk actions require the Analyst role or higher.

False Positive Scoring in List View

Each incident in the list has a lightweight false positive (FP) score calculated from heuristic checks. Indicators include:

  • Micro-burst (duration 15s or less)
  • No threat intel signals
  • Single source IP
  • Low total packets
  • Peak not sustained (average PPS far below peak)
  • Severity-to-evidence mismatch

The FP score appears as a colored indicator next to the incident, giving you a quick sense of which incidents may warrant review.

Incident Detail Page

Click any incident to open its detail page. This is where the full investigation happens.

AI Summary

Each incident includes an AI-generated analysis that summarizes the attack in plain language. This is auto-generated the first time you view the incident (if peak PPS is greater than 0). The summary covers the attack type, traffic characteristics, and recommended actions.

Incident Actions

From the detail page, you can:

  • Resolve - Mark the incident as resolved. This records the resolution time and duration, triggers a postmortem report email to workspace admins, and resets the node status from "attack" to "online" (if no other active incidents remain).
  • Mark as False Positive - Flag the incident as a false positive with an optional reason. The reason is stored as an incident note. This also resets the node status if appropriate.
  • Add Note - Attach notes to the incident (up to 2,000 characters each). Notes include the author name and timestamp.
  • Download PCAP - Generate a time-limited download token for the PCAP file (valid for 15 minutes).

Firewall Mitigation Rules

The incident detail page automatically generates firewall rules tailored to the attack. Rules are generated for your workspace's preferred firewall (iptables, nftables, ufw, firewalld, pf, MikroTik, etc.). Safe IP lists are built automatically from your node IPs and team login IPs to prevent accidental self-blocking.

Recommendations

Below the AI summary, the system provides prioritized recommendations for responding to the attack. These are generated automatically based on the attack characteristics.

Push to Integration

If you have blocking integrations configured (MikroTik, pfSense, CrowdSec), a button allows you to push block rules for the top source IPs directly to your firewall or security platform.

Attack Families and Subtypes

Flowtriq classifies attacks into the following families:

FamilyDescription
UDP FloodVolumetric attack using UDP packets. Subtypes include DNS amplification, NTP amplification, memcached reflection, and generic UDP floods.
SYN FloodTCP SYN packets sent to exhaust connection tables. High SYN ratio with few ACK responses.
TCP FloodGeneral TCP-based flooding (ACK floods, RST floods, PSH+ACK floods).
HTTP FloodLayer 7 attacks targeting web servers. Measured in requests per second (RPS) rather than PPS.
ICMP FloodPing floods and ICMP-based volumetric attacks.
DNS FloodDNS query floods, DNS amplification, and DNS water torture attacks.
Protocol FloodAttacks exploiting protocol weaknesses (GRE floods, IP fragment floods, etc.).
Multi-VectorAttacks combining multiple families simultaneously (e.g., SYN flood + UDP amplification).

Confidence Scoring

Each incident includes a confidence score (0-100%) indicating how certain the classification is. The score is based on:

  • Protocol analysis (TCP flag distribution, UDP/TCP ratio)
  • IOC (Indicator of Compromise) matches from threat intelligence feeds
  • Source IP analysis (spoofing detection, botnet signatures)
  • Traffic pattern analysis (sustained vs. burst, geographic distribution)

Higher confidence means more signals corroborated the classification. A low confidence score may indicate a novel attack type or a legitimate traffic spike.

False Positive Analysis Engine

The incident detail page includes a comprehensive FP Analysis panel that evaluates multiple heuristic indicators:

IndicatorWeightWhat It Checks
Micro-burst80Duration was 15 seconds or less (the minimum possible)
Short duration50Duration was between 15-30 seconds
No threat indicators60No IOC matches, no spoofing detected, no botnet signatures
Single source IP75All traffic came from a single source address
Low sustained traffic65Average PPS was less than 10% of peak PPS
Standard service ports40All traffic targeted well-known ports (80, 443, etc.)
Normal TCP flags45SYN ratio is below 50% with ACK traffic present
Rapid-fire pattern855+ similar incidents from the same node within 6 hours
Severity mismatch70Critical severity but very few sources and short duration
Single source country35All traffic from one country (botnets typically span multiple)
High node FP rate5530%+ of incidents on this node in the last 30 days were false positives
No amplification40UDP-based attack with no amplification or reflection signatures

The overall FP score is the average of triggered indicator weights, with a boost when many indicators fire simultaneously. Levels: High (≥70), Medium (≥45), Low (>0).

Service Port Blocks

If the incident triggered service port detection, the detail page shows a Service Port Blocks section listing each blocked source IP, the block scope (non-service or full IP), the source PPS, targeted ports, block timestamp, and expiry.

Incident Notes

Team members can add notes to any incident for collaboration. Notes are displayed in chronological order with the author name and timestamp. False positive reasons are also stored as incident notes with a special false_positive_reason type.

Incident Groups

When multiple incidents on different nodes are correlated (part of the same attack campaign), they are linked in an Incident Group. Resolving all incidents in a group automatically resolves the group itself.

Auto-Resolve Behavior

Incidents can be resolved automatically in several ways:

  • Agent auto-resolve: When traffic drops back below the threshold, the agent reports the incident as resolved.
  • Workspace auto-resolve timer: Configurable in Settings → Workspace. Options: 5, 10, 15, 30, or 60 minutes. Set to 0 to disable. Default is 15 minutes.
  • Node deletion: Deleting a node resolves all its active incidents immediately.

FAQ

Can I delete an incident?

Yes, admins can delete incidents from the list view. Deleting an incident removes all related data including PCAP captures, recommendations, and group memberships.

What is the difference between Resolved and False Positive?

Resolved means the attack ended (either naturally or was mitigated). False Positive means the detection was a mistake; there was no real attack. False positives are excluded from compliance reports and aggregate statistics.

ESC