ISP Abuse Auto-Notifications
Attack resolved.
Source network notified.
When a DDoS attack resolves, Flowtriq automatically sends RFC 2142/5765 compliant abuse reports to the source network operators responsible for the attacker IPs. Abuse contacts are discovered via RDAP and RIPEstat, reports are batched by ASN, rate-limited to prevent flooding, and delivery status is tracked per IP. Configurable thresholds let you control which incidents trigger notifications.
Delivery Tracking
Every report tracked from send to delivery
| Sent (UTC) | Incident | Source IP | ASN | Abuse Contact | Status |
|---|---|---|---|---|---|
| 2026-06-24 14:32:08 | a3f7c2b1 | 185.220.101.34 | AS60729 | [email protected] | Delivered |
| 2026-06-24 14:32:08 | a3f7c2b1 | 45.134.26.19 | AS60729 | [email protected] | Batched |
| 2026-06-24 14:32:10 | a3f7c2b1 | 193.42.111.8 | AS213035 | [email protected] | Sent |
| 2026-06-24 14:32:10 | a3f7c2b1 | 91.215.85.22 | AS44477 | [email protected] | Delivered |
| 2026-06-24 14:32:11 | a3f7c2b1 | 5.188.62.140 | AS49505 | [email protected] | Bounced |
| 2026-06-24 14:32:12 | a3f7c2b1 | 103.152.220.55 | AS138915 | [email protected] | Queued |
How It Works
From incident resolution to abuse inbox
When an incident resolves and meets your configured thresholds, Flowtriq ranks source IPs by traffic contribution, looks up each IP's abuse contact via RDAP and RIPEstat, batches IPs that share the same abuse contact into a single report, and sends from [email protected]. Delivery status is tracked and visible on both the incident detail page and the settings page.
RDAP/RIPEstat Contact Discovery
Automatically queries RDAP and RIPEstat APIs to find the authoritative abuse contact for each source IP. Results are cached to avoid redundant lookups.
ASN Batching
Multiple source IPs from the same ASN are grouped into a single report. One email per abuse contact, not one per IP.
Configurable Thresholds
Set minimum severity (medium, high, or critical), minimum PPS, and minimum Mbps. Only incidents that meet all thresholds trigger reports.
Rate Limiting & Deduplication
Max 10 reports per incident, top 20 source IPs, cross-incident deduplication. Operators never receive duplicate notifications for the same source.
Delivery Tracking
Per-IP delivery status visible on incident detail: queued, sent, delivered, or bounced. Recent reports log on the settings page.
RFC-Compliant Format
Reports follow RFC 2142/5765 conventions. Attack type, target, timing, peak traffic, protocol breakdown, source IP list, and action requested.
Sample Report
What the source network receives
Each abuse report contains all the information a network operator needs to identify and investigate the traffic source. Reports are sent from [email protected] and include structured data for automated intake systems.
To: [email protected]
Subject: Abuse report: DDoS traffic from AS60729
Attack type: UDP Amplification (DNS)
Target: 203.0.113.50
Start: 2026-06-24 14:12:04 UTC
Duration: 18 minutes
Peak: 4.2 Gbps / 3.1 Mpps
Protocol: UDP 93.2% / TCP 6.8%
Source IPs from your network (AS60729):
185.220.101.34 812 Mbps 604K pps
45.134.26.19 340 Mbps 251K pps
Action requested: Investigate and remediate
FAQ
Common questions about abuse reports
How does Flowtriq find the right abuse contact for each source IP?
Flowtriq queries RDAP (Registration Data Access Protocol) and the RIPEstat API to look up the authoritative abuse contact for each attacker IP address. RDAP is the IETF-standard replacement for WHOIS and returns structured, machine-readable contact data. If RDAP returns no abuse contact, Flowtriq falls back to RIPEstat's abuse-contact-finder endpoint. The result is cached to avoid redundant lookups across incidents.
What information is included in each abuse report?
Each report includes the attack type and classification, the target IP address, start time (UTC), duration, peak traffic in packets per second and megabits per second, protocol breakdown, the list of source IPs observed from that network, and a clear action requested (investigate and remediate). Reports follow RFC 2142 formatting conventions and reference RFC 5765 for abuse reporting best practices.
How does rate limiting work for abuse reports?
Flowtriq enforces multiple layers of rate limiting. Each incident generates reports for at most the top 20 source IPs by traffic volume, with a maximum of 10 reports sent per incident. Source IPs are deduplicated across recent incidents so the same operator does not receive repeated reports for the same source. Multiple IPs from the same ASN are batched into a single email to that abuse contact.
Do ISPs actually respond to automated abuse reports?
Response rates vary by network operator. Large transit providers and well-run networks typically have automated intake systems that process abuse reports into tickets. Smaller or less responsive networks may not act on every report. Regardless, sending compliant abuse reports creates a documented record that the source network was notified, which is valuable for downstream escalation, legal proceedings, and demonstrating due diligence to your own customers.
Can I control which incidents trigger abuse reports?
Yes. Abuse report thresholds are fully configurable per tenant. You can set minimum severity level (medium, high, or critical), minimum packets per second, and minimum megabits per second. Only incidents that meet all configured thresholds will trigger abuse reports. You can also disable abuse reports entirely if you prefer.
Where can I see the status of sent abuse reports?
Sent abuse reports appear in two places. On the incident detail page, each source IP shows its report delivery status (queued, sent, delivered, bounced). The settings page includes a recent reports log with timestamps, recipient addresses, and delivery outcomes. Failed deliveries are flagged so you can identify networks with unreachable abuse contacts.
Related Features
Abuse reports work alongside the full detection stack
FAQ