Integrations

Automated incident response, threat reporting, and blocking

Overview

Flowtriq integrations fire automatically during DDoS incidents. They handle three things: incident response (blocking attacker IPs at the firewall), threat intelligence reporting (sharing attacker data with global databases), and automated blocking via external security platforms. Each integration is configured per workspace and triggers without manual intervention.

iptables

The iptables integration auto-generates DROP rules for attacker IPs identified during a DDoS incident. Rules are pushed directly to the Flowtriq agent running on the node, which applies them to the local firewall.

• Rules are generated when an incident is detected and contain source IPs from the attack traffic
• The auto-apply option pushes rules to the agent immediately without manual confirmation
• When auto-apply is disabled, rules are staged in the dashboard for review before deployment
• Rules are automatically removed when the incident resolves (configurable)

Setup

1. Go to Dashboard → Integrations
2. Click Add Integration and select iptables
3. Choose whether to enable auto-apply (recommended for production nodes with tuned baselines)
4. Save the integration

AbuseIPDB

The AbuseIPDB integration reports attacker IPs to the AbuseIPDB global threat intelligence database when an incident resolves. Reports are filed under category 4 (DDoS Attack) and include the attack type, duration, and peak PPS.

• Up to 20 attacker IPs are reported per incident (AbuseIPDB rate limits apply)
• Reports include structured comments with attack metadata
• Duplicate IPs already reported within the last 15 minutes are skipped automatically
• Requires an AbuseIPDB API key (free tier: 1,000 reports/day)

Setup

1. Create an account at abuseipdb.com and generate an API key
2. Go to Dashboard → Integrations
3. Click Add Integration and select AbuseIPDB
4. Paste your API key and save

CrowdSec

The CrowdSec integration pushes attacker IPs as ban decisions to a CrowdSec LAPI (Local API) instance. When an incident resolves, Flowtriq sends each attacker IP as a ban decision so that CrowdSec bouncers across your infrastructure can block the traffic.

• Ban duration is configurable: 1 hour, 4 hours, 12 hours, 24 hours, 3 days, or 7 days
• Decisions include the attack scenario, origin, and scope for CrowdSec's decision engine
• Requires a CrowdSec bouncer API key (generated with cscli bouncers add flowtriq)
• The LAPI URL must be reachable from Flowtriq's servers (default: http://localhost:8080)
• Fires on incident resolution to ensure only confirmed attacker IPs are banned

Setup

1. Install CrowdSec on your infrastructure and ensure the LAPI is accessible
2. Generate a bouncer API key: sudo cscli bouncers add flowtriq
3. Go to Dashboard → Integrations
4. Click Add Integration and select CrowdSec
5. Enter your LAPI URL and bouncer API key
6. Set the ban duration and save

Generic Webhook

The generic webhook integration sends structured JSON payloads to any HTTP endpoint when incidents are created, updated, or resolved. Payloads are signed with HMAC-SHA256 so your receiving endpoint can verify authenticity.

• Payloads include incident metadata, attacker IPs, attack classification, peak metrics, and node details
• The X-Flowtriq-Signature header contains the HMAC-SHA256 signature of the request body
• Useful for SIEM integration, custom automation pipelines, Slack bots, ticketing systems, and internal dashboards
• Supports any endpoint that accepts HTTP POST with a JSON body
• Failed deliveries are retried up to 3 times with exponential backoff

Setup

1. Go to Dashboard → Integrations
2. Click Add Integration and select Webhook
3. Enter your endpoint URL
4. Copy the generated signing secret and use it to verify signatures on your end
5. Optionally add custom HTTP headers (e.g., authorization tokens)
6. Save and use the Test button to send a sample payload

Example Payload