Documentation | Flowtriq DDoS Detection API & Agent Setup
Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications NEW
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services Compliance NEW
Docs/Webhooks

Webhook Reference

When you configure a Webhook notification channel, Flowtriq sends HTTP POST requests to your URL on every incident event.

Event Types

EventTrigger
attack_startNew incident opened - attack detected
attack_updateOngoing attack - peak PPS/BPS updated
attack_endAttack resolved (manual or auto)
testManual test from the dashboard

Payload Format

// POST to your webhook URL // Content-Type: application/json // X-Flowtriq-Signature: sha256=abc123... { "event_type": "attack_start", "timestamp": "2025-03-10T14:22:00Z", "incident": { "id": 147, "uuid": "d4e5f6a7-b8c9-...", "title": "UDP Flood on web-prod-1", "attack_family": "udp_flood", "severity": "critical", "peak_pps": 2450000, "peak_bps": 1547000000, "source_ip_count": 8429, "started_at": "2025-03-10T14:22:00Z", "ai_summary": "A large 1.4 Gbps UDP flood from 8,429 source IPs...", "dashboard_url": "https://flowtriq.com/dashboard/incident?id=147" }, "node": { "id": 1, "name": "web-prod-1", "ip_address": "203.0.113.10" } }

HMAC-SHA256 Signature Verification

If you set a webhook secret, Flowtriq signs every payload with HMAC-SHA256. The signature is in the X-Flowtriq-Signature header.

Python

import hmac, hashlib def verify_signature(payload_body, signature_header, secret): expected = 'sha256=' + hmac.new( secret.encode(), payload_body, hashlib.sha256 ).hexdigest() return hmac.compare_digest(expected, signature_header)

Node.js

const crypto = require('crypto'); function verifySignature(body, signatureHeader, secret) { const expected = 'sha256=' + crypto .createHmac('sha256', secret) .update(body) .digest('hex'); return crypto.timingSafeEqual( Buffer.from(expected), Buffer.from(signatureHeader) ); }

PHP

$expected = 'sha256=' . hash_hmac('sha256', $payload_body, $secret); $valid = hash_equals($expected, $_SERVER['HTTP_X_FLOWTRIQ_SIGNATURE']);

Go

mac := hmac.New(sha256.New, []byte(secret)) mac.Write([]byte(payloadBody)) expected := "sha256=" + hex.EncodeToString(mac.Sum(nil)) valid := hmac.Equal([]byte(expected), []byte(signatureHeader))

Retry Policy

  • Flowtriq retries failed webhook deliveries up to 3 times
  • Retry intervals: 10 seconds, 60 seconds, 5 minutes
  • A delivery is considered failed if your endpoint returns a non-2xx status code or times out (10 second timeout)
  • Failed deliveries are logged in the notification log on the incident detail page