How Flowtriq works
Flowtriq detects DDoS attacks in under one second by sampling kernel-level traffic on each server, classifies them across 7 attack families, and executes mitigation automatically through on-node firewall rules, BGP announcements, and cloud scrubbing orchestration. This page documents the detection pipeline, mitigation engine, integrations, and deployment models.
Architecture
System overview
Flowtriq is a two-component system: a lightweight agent (ftagent) on each server and a cloud-hosted dashboard that aggregates, correlates, and controls.
Detection Pipeline
From packet to detection in under 1 second
Detection sequence
/proc/net/dev every second. Zero sampling loss. Protocol breakdown (TCP/UDP/ICMP) and connection count are recorded simultaneously. For flow sources, sFlow v5 (port 6343), NetFlow v5/v9 (port 2055), and IPFIX (port 4739) are ingested natively.L7 HTTP Flood Detection
In addition to kernel-level L3/L4 detection, ftagent monitors web server access logs (nginx, Apache, Caddy, LiteSpeed, HAProxy) for HTTP flood patterns. L7 detection identifies application-layer attacks that may not appear as PPS/BPS anomalies because they use normal-sized HTTP requests at high volume.
Mitigation Pipeline
What happens after detection
Mitigation executes at two levels: on-node (firewall rules on the server itself) and network-level (BGP FlowSpec, RTBH, cloud scrubbing). Both can be configured per attack profile.
On-node mitigation
ftagent executes firewall commands directly on the server. Automated mitigation across 7 groups:
| Group | Example actions |
|---|---|
| iptables | Rate-limit, drop, reject, SYN cookies, hashlimit, connlimit |
| ipset | Bulk IP blocking via hash:ip sets |
| nftables | Drop, rate-limit, set-based filtering |
| ufw / firewalld / CSF | Deny rules via native firewall interface |
| tc | Bandwidth shaping (traffic control) |
| Null routing | Local blackhole route |
| XDP/eBPF | Kernel-bypass packet filtering |
Every rule is previewed before execution, logged in the audit trail, and auto-rolled-back when the incident resolves. Collateral damage detection triggers auto-rollback when legitimate traffic drops more than 90%.
BGP mitigation (4-level auto-escalation)
The BGP engine selects the mitigation level based on attack volume and escalates automatically:
| Level | Action | Default trigger |
|---|---|---|
| 1 | FlowSpec rate-limit | >100 Mbps |
| 2 | FlowSpec drop | >500 Mbps |
| 3 | RTBH blackhole | >2 Gbps |
| 4 | Cloud scrubbing divert | >5 Gbps |
Detection to BGP announcement: under 2 seconds. IPv4 and IPv6 FlowSpec supported. RPKI validation runs before every announcement. Rules auto-expire after 5 minutes (configurable TTL). Maximum 200 concurrent rules per tenant.
BGP adapters
- ExaBGP
- GoBGP
- BIRD 2
- FRRouting (FRR)
- Cloudflare Magic Transit
- Radware
- F5
- Generic webhook
Integrations
Integrations matrix
| Category | Integrations | Notes |
|---|---|---|
| Alert channels | Discord, Slack, PagerDuty, OpsGenie, Telegram, Microsoft Teams, Email, SMS, Custom webhooks, Grafana, Datadog, Prometheus | Alerts wherever your NOC works. Fire within 1 second. Webhooks signed with HMAC-SHA256. |
| BGP speakers | ExaBGP, GoBGP, BIRD 2, FRRouting, Cloudflare, Radware, F5, Webhook | 8 adapters. FlowSpec + RTBH. |
| Cloud scrubbing | Cloudflare Magic Transit, OVH VAC, Hetzner, AWS Shield Advanced, Cloudflare WAF, DigitalOcean, Vultr, Linode/Akamai, Webhook | 9 providers. Auto-activate and auto-withdraw. |
| Flow collection | sFlow v5, NetFlow v5/v9, IPFIX | Native ingestion. No third-party collectors needed. |
| SIEM | Splunk HEC, Elasticsearch, Microsoft Sentinel, Datadog, Syslog CEF, Wazuh, MISP, Suricata, Zeek | Structured telemetry export. |
| API & automation | REST API, Terraform provider, Prometheus /metrics, Kafka export | Full CRUD. Bearer token auth. |
| IP reputation | AbuseIPDB, CrowdSec | Automatic reporting and enrichment. |
Deployment
Deployment models
| Model | How it works | Best for | Pricing |
|---|---|---|---|
| Per-server agent | Install ftagent on each Linux server. Kernel-level detection, zero sampling, local mitigation. | Hosting providers, game hosts, SaaS, bare metal, cloud VMs | $9.99/node/month |
| Flow source | Point router sFlow/NetFlow/IPFIX at ftagent. Network-wide visibility from router-level telemetry. | ISPs, carriers, operators with centralized routing infrastructure | From $19/source/month |
| Mirror/SPAN mode | Connect to a switch SPAN port. Per-IP baselines across an entire network segment from one monitoring point. | Operators who want per-IP detection without per-server agent installs | From $49/source/month |
| ftagent-lite (free) | CLI-only PPS/BPS monitor. No dashboard, alerts, or mitigation. JSON output for scripting. | Lightweight traffic visibility, scripting, evaluation | Free / open-source |
All models can be combined. A typical ISP deployment uses per-server agents on critical infrastructure, flow sources from core routers, and Mirror Mode on customer-facing switches.
Data Privacy
What data leaves the server
Sent to Flowtriq dashboard
- PPS, BPS, protocol breakdown, connection count (every second)
- Detection events (attack type, severity, confidence, source IPs)
- PCAP files (on incident resolution, up to 10,000 packets)
- Mitigation rule execution results
- Agent heartbeat and version info
Stays on the server
- Full packet payloads (only ring buffer capture is uploaded)
- Application data, file contents, user data
- System logs, configuration files
- Firewall rule state (managed locally by ftagent)
- Offline retry queue contents (synced only when reconnected)
All communication between ftagent and the dashboard is encrypted with TLS. API key authentication. No third-party data sharing. See the security page for full details.
FAQ
Technical questions
How does Flowtriq detect attacks?
ftagent reads PPS/BPS from the Linux kernel every second via /proc/net/dev. It builds a dynamic baseline using a 300-sample sliding window with p99 percentile calculation (recalculated every 10 ticks) and triggers detection when traffic exceeds 3x the p99 rolling PPS. Detection latency is under 1 second.
What data leaves the server?
Metrics (PPS, BPS, protocol breakdown, connection count) are sent to the Flowtriq dashboard every second over TLS. PCAP files are uploaded on incident resolution. Raw packet payloads are not streamed; only the ring buffer capture is uploaded per incident.
Does Flowtriq need root access?
Yes. ftagent requires root to read kernel-level network stats, execute firewall rules (iptables, nftables, XDP), and capture packets for PCAPs. It runs as a system service.
How long does baseline learning take?
Approximately 5 minutes. The baseline uses a 300-sample sliding window with p99 percentile calculation (one sample per second, recalculated every 10 ticks). Within 5 minutes the baseline converges to the node's normal traffic pattern.
Can I use flow sources and agents together?
Yes. Per-node agents provide kernel-level detection on individual servers. Flow sources (sFlow, NetFlow, IPFIX) provide network-wide visibility from routers. They complement each other: agents see everything that reaches the server; flow sources see everything passing through the router.
What happens if the agent loses connectivity?
ftagent has a 2,000-event offline retry queue. Detection and local mitigation (firewall rules) continue independently. Events are synced to the dashboard when connectivity is restored.
Related
Learn more
See the pipeline in action.
14-day free trial. Every feature included. No credit card required.