Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode NEW
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All Use Cases → Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense Proxy Providers VPN Providers
Gaming & Entertainment
Game Server Hosting Game Studios Esports Platforms iGaming & Sportsbooks
Business & Emerging
SaaS Platforms E-Commerce Financial Services Compliance VoIP & Cloud Calling GPU & AI Cloud
Home/ Mitigation Matrix
Last updated: June 14, 2026

What Flowtriq does when an attack hits

When Flowtriq detects a DDoS attack, here is exactly what happens, depending on your environment. Every action is automatic, audited, and reversible.

Start Free Trial → How It Works →

Incident Timeline

From first anomalous packet to mitigation

0.0s
Anomaly
PPS exceeds 3x 99th-percentile baseline
< 1.0s
Detection
Incident created. Attack classified. Ring buffer frozen.
< 1.0s
Alerts
Discord, Slack, PagerDuty, SMS, webhooks fire
< 1.0s
On-node rules
iptables, nftables, XDP/eBPF rules execute on server
< 2.0s
BGP
FlowSpec or RTBH announcement to BGP speakers
Auto
Escalation
Volume-based escalation through 4 BGP levels

Mitigation Matrix

Actions by environment

The table below shows what mitigation actions Flowtriq takes in each deployment environment. All actions are configurable via Attack Profiles.

Environment On-node action Network action Time to mitigation What operator sees
Bare-metal Linux iptables/nftables rate-limit or drop by source IP, protocol, port. XDP/eBPF for high-PPS attacks. ipset for bulk IP blocking. SYN cookies for SYN floods. BGP FlowSpec rate-limit/drop if BGP configured. RTBH at >2 Gbps. Cloud scrubbing at >5 Gbps. < 1 second (on-node)
< 2 seconds (BGP)		 Dashboard incident with classification, PCAP, AI summary. Alerts on configured channels. Audit log entry.
Cloud VM (AWS, GCP, Azure, DO, Vultr, Linode) iptables/nftables rules on the VM. Cloud firewall API lockdown (DigitalOcean, Vultr, Linode, Cloudflare WAF). Cloud scrubbing divert (Cloudflare Magic Transit, AWS Shield Advanced, provider firewall). BGP if available. < 1 second (on-node)
Variable (cloud API)		 Same dashboard visibility. Cloud firewall actions logged. PCAP from the VM.
Game server host iptables/nftables rate-limit per source IP. XDP/eBPF for UDP flood filtering. tc bandwidth shaping to protect game ports. BGP FlowSpec rate-limit on game server IPs. RTBH for overwhelming floods. Cloud scrubbing divert. < 1 second (on-node) Per-server incident. Attack family classification (UDP flood is most common). PCAP showing attack packets.
Hosting provider (multi-tenant) Per-node rules on each customer server. ipset bulk blocking. nftables per-customer isolation. BGP FlowSpec per-customer prefix. RTBH for targeted IPs. Cloud scrubbing with customer-specific routing. < 1 second (on-node)
< 2 seconds (BGP)		 Per-customer incidents. Public status page per customer. Workspace isolation between tenants.
ISP / carrier Local rules on monitored infrastructure. Flow-based detection from core routers via sFlow/NetFlow/IPFIX. BGP FlowSpec rate-limit/drop distributed to edge routers. RTBH with community 65535:666. 4-level auto-escalation through the network. < 2 seconds (BGP) Network-wide incident correlation across nodes. Flow-level visibility. BGP mitigation log with exact announcements.
MikroTik / RouterOS shop iptables rules on Linux servers behind MikroTik routers. ftagent does not run on RouterOS directly. BGP FlowSpec or RTBH via BGP session to MikroTik (if MikroTik is configured as BGP peer). Cloud scrubbing divert. < 1 second (on Linux nodes)
< 2 seconds (BGP to MikroTik)		 Attacks detected on Linux nodes. Native RouterOS API integration for direct rule management. BGP rules also pushed to MikroTik via configured BGP adapter.

Environment Details

What the attacker sees

Depending on the mitigation level, the attacker experiences different responses:

On-node rules (iptables, nftables, XDP)

Attacker perspective
  • Rate-limit rule: Attacker's packets are throttled. Some get through, but not enough to cause impact. Attacker sees partial success.
  • Drop rule: Attacker's packets are silently dropped. No response. Connection attempts time out. Attacker sees the target as "down" but legitimate traffic is unaffected.
  • XDP/eBPF: Same as drop but at kernel driver level. Packets never reach the network stack. Zero CPU overhead from attack traffic.

BGP FlowSpec / RTBH

Attacker perspective
  • FlowSpec rate-limit: Upstream routers throttle matching traffic. Attack volume is reduced before it reaches the target network. Attacker sees diminishing returns.
  • FlowSpec drop: Upstream routers discard matching traffic entirely. Attack packets never reach the target AS.
  • RTBH: All traffic to the target IP is blackholed at the network edge. Both attack and legitimate traffic are dropped. The rest of the network is protected.

Cloud scrubbing

Attacker perspective
  • Traffic is diverted through the scrubbing center (Cloudflare, OVH, Hetzner, AWS Shield, etc.).
  • Attack traffic is filtered. Clean traffic is forwarded to the origin.
  • Attacker sees their traffic absorbed by the scrubbing provider's capacity (typically 1-100+ Tbps).
  • When the attack stops, direct routing resumes automatically.

Auto-rollback

Safety mechanisms
  • Collateral detection: If legitimate traffic drops >90% after a rule is applied, the rule is auto-removed.
  • Incident resolution: When PPS drops below threshold, all on-node rules are removed automatically.
  • BGP TTL: BGP rules auto-expire after 5 minutes (configurable). No stale routes.
  • Cloud scrubbing: Auto-withdrawn on resolution. No ongoing scrubbing cost during peacetime.

FAQ

Mitigation questions

Does Flowtriq stop attacks automatically?

Yes. Flowtriq detects, classifies, and mitigates attacks automatically. On-node firewall rules execute within 1 second. BGP announcements deploy within 2 seconds. Cloud scrubbing activates via API. All actions are logged and can be configured per attack type.

What if Flowtriq blocks legitimate traffic?

Flowtriq includes collateral damage detection: if legitimate traffic drops more than 90% after a rule is applied, the rule is auto-rolled-back. All rules auto-expire when the incident resolves. Manual override is always available.

Does mitigation require BGP?

No. On-node mitigation (iptables, nftables, XDP/eBPF, ipset, tc, null routing) works on any Linux server with no network-level requirements. BGP mitigation is an additional layer for operators with BGP infrastructure. It extends protection to the network edge.

How fast is mitigation?

On-node firewall rules execute within 1 second of detection. BGP FlowSpec/RTBH announcements deploy within 2 seconds. Cloud scrubbing activation depends on the provider API but is typically under 30 seconds.

Can I customize which rules fire for which attacks?

Yes. Attack Profiles let you configure specific mitigation rules per attack family (UDP flood, SYN flood, HTTP flood, etc.) and per severity level. You can also set per-node overrides.

What happens when the attack stops?

When traffic drops below the detection threshold, the incident is resolved. On-node firewall rules are auto-removed. BGP rules auto-expire (default 5-minute TTL). Cloud scrubbing is auto-withdrawn. PCAP is uploaded. A full incident report is generated.

Related

Learn more

How Flowtriq Works

Full technical architecture: detection pipeline, mitigation engine, integrations.

Detection vs Protection

How detection-only, mitigation-only, and integrated tools compare.

Glossary

Definitions for BGP FlowSpec, RTBH, XDP/eBPF, and all mitigation terms.

Firewall Rules

Automated mitigation across iptables, nftables, XDP/eBPF, and more.

BGP Mitigation

4-level auto-escalation with FlowSpec, RTBH, and cloud scrubbing.

See mitigation in action.

14-day free trial. Every feature included. No credit card required.

Start Free Trial → See Pricing