Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 7 attack families with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications Hackathon Sponsorships
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All Use Cases → Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense Proxy Providers VPN Providers
Gaming & Entertainment
Game Server Hosting Game Studios Esports Platforms iGaming & Sportsbooks
Business & Emerging
SaaS Platforms E-Commerce Financial Services Compliance VoIP & Cloud Calling GPU & AI Cloud
Home/ Features/ Incident Correlation

Correlation

Incident Correlation

When the same attack hits multiple nodes, Flowtriq automatically groups related incidents together. See the full blast radius, respond once, and track the campaign as a single event.

Auto
Correlation Engine
5 min
Correlation Window
Unified
Group Visibility

How It Works

Automatic incident grouping

When a new incident is detected, Flowtriq checks if any other active incidents in your workspace share the same attack family and occurred within the last 5 minutes. If a match is found, both incidents are grouped into an incident group with a unified title showing all affected nodes.

Automatic Grouping

No manual tagging required. When a UDP flood hits Node A and the same attack type appears on Node B within 5 minutes, they are automatically linked into a multi-node group.

Unified Dashboard View

Incident groups appear above your incidents list with expandable member details. See all affected nodes, combined peak PPS, and group status at a glance.

Auto-Resolve

When all member incidents in a group are resolved, the group automatically closes. No manual cleanup required.

Cross-Reference

Each incident detail page shows a banner linking to its group and all sibling incidents. Jump between related attacks instantly.

Correlation Flow

From detection to grouping

Attack Hits Node A

Incident created with attack family, source IPs, and timing data.

Engine Checks Window

Same family + overlapping source IPs + within 5 minutes = correlated.

Group Created

Both incidents linked. Alerts fire once for the group, not per-node.

Why It Matters

See the full campaign

Multi-node attacks are increasingly common. Attackers target entire infrastructure, not just individual servers. Without correlation, your team investigates each incident separately, missing the bigger picture.

With incident correlation, you see the full campaign: which nodes were hit, in what order, and with what combined volume. This enables faster escalation decisions and more accurate impact assessment for post-incident reports.

Multi-Node Visibility

See every node affected by a coordinated attack in one view. Know instantly whether the attacker is targeting a single server or sweeping your entire fleet.

Alert Deduplication

Get one alert per attack campaign, not one per node. When 10 servers are hit simultaneously, your Slack channel sees one grouped notification with the full blast radius.

Combined Metrics

Aggregate peak PPS, total bandwidth, and source IP overlap across all group members. Understand the true scale of coordinated attacks.

Post-Incident Reports

Generate reports that capture the full multi-node campaign. Timeline, affected nodes, combined impact, shared source IPs, all in one document.

Cross-Layer

L7 Cross-Layer Correlation

When an L7 HTTP flood is detected from the access log, Flowtriq cross-references the attacking source IPs against recent L3/L4 incidents from the same workspace. If the same IPs appear in both network-layer and application-layer attacks, the incidents are linked for unified analysis.

This reveals multi-layer campaigns where attackers combine volumetric floods with targeted HTTP requests, giving you the complete attack picture across protocol layers.

FAQ

Common questions about correlation

What is DDoS incident correlation?

Correlation automatically groups related attacks across multiple nodes into a single incident when they share timing windows, source IP overlap, or attack signatures. This gives a unified view of distributed attacks instead of hundreds of separate single-node alerts.

How does correlation detect carpet bombing?

Carpet bombing spreads traffic across many destination IPs to stay under per-node thresholds. Correlation detects the aggregate pattern by cross-referencing source IPs and timing across all nodes, triggering even when no individual node crosses its own threshold.

Does correlation work across different data centers?

Yes. Correlation works across any nodes in your workspace regardless of physical location, network, or cloud provider.

How does correlation handle multi-vector attacks?

When an attacker combines multiple attack types (e.g., UDP flood + SYN flood + HTTP flood) against the same infrastructure, correlation groups all related incidents by timing window and source IP overlap regardless of attack family. You see the full multi-vector campaign as one coordinated event.

Does correlation work across different cloud providers?

Yes. Correlation operates at the workspace level and is provider-agnostic. Nodes on AWS, bare metal, DigitalOcean, and on-prem infrastructure all participate in the same correlation engine as long as they belong to the same workspace.

How does alert deduplication work with correlated incidents?

When incidents are grouped, alerts fire once for the group instead of once per node. Your Slack, email, or webhook channel receives a single notification listing all affected nodes and combined metrics, rather than separate alerts for each server.

Is there a minimum number of nodes required for correlation?

Correlation activates with as few as two nodes. If only one node is attacked, it is treated as a standalone incident. The moment a second node reports the same attack family within the 5-minute window, both are grouped automatically.

Related Features

Correlation works with every feature

Multi-Channel Alerts

Correlated incidents fire alerts once per group, reducing noise during multi-node campaigns.

Automated Runbooks

Trigger multi-step playbooks based on correlated group severity and blast radius.

Real-Time Analytics

Aggregate traffic analytics across all nodes in a correlated group for unified impact assessment.

Get Started

See the Full Picture

Detect multi-node campaigns automatically. Start your free trial and deploy across your infrastructure.

Start Free Trial Correlation Docs

FAQ

Frequently Asked Questions

What is DDoS incident correlation?

Correlation automatically groups related attacks across multiple nodes into a single incident when they share timing windows, source IP overlap, or attack signatures. This gives a unified view of distributed attacks instead of hundreds of separate single-node alerts.

How does correlation detect carpet bombing?

Carpet bombing spreads traffic across many destination IPs to stay under per-node thresholds. Correlation detects the aggregate pattern by cross-referencing source IPs and timing across all nodes — triggering even when no individual node crosses its own threshold.

Does correlation work across different data centers?

Yes — correlation works across any nodes in your workspace regardless of physical location, network, or cloud provider.

How does correlation handle multi-vector attacks?

When an attacker combines multiple attack types (e.g., UDP flood + SYN flood + HTTP flood) against the same infrastructure, correlation groups all related incidents by timing window and source IP overlap regardless of attack family. You see the full multi-vector campaign as one coordinated event.

Does correlation work across different cloud providers?

Yes. Correlation operates at the workspace level and is provider-agnostic. Nodes on AWS, bare metal, DigitalOcean, and on-prem infrastructure all participate in the same correlation engine as long as they belong to the same workspace.

How does alert deduplication work with correlated incidents?

When incidents are grouped, alerts fire once for the group instead of once per node. Your Slack, email, or webhook channel receives a single notification listing all affected nodes and combined metrics, rather than separate alerts for each server.

Is there a minimum number of nodes required for correlation?

Correlation activates with as few as two nodes. If only one node is attacked, it is treated as a standalone incident. The moment a second node reports the same attack family within the 5-minute window, both are grouped automatically.