What is alert fatigue in DDoS operations?

Alert fatigue happens when operators receive so many DDoS alerts that they stop responding to them. When every alert requires manual investigation and manual mitigation, the cost of responding to each alert is high. Over time, teams start ignoring alerts or raising thresholds to reduce volume, which means real attacks get missed or responded to too slowly.

What is a DDoS mitigation escalation chain?

An escalation chain is a sequence of increasingly aggressive mitigation actions taken automatically as an attack persists or intensifies. Flowtriq uses a 4-tier chain: local iptables filtering first, then FlowSpec rules pushed to upstream routers, then RTBH (remotely triggered blackholing) for severe attacks, and finally cloud scrubbing for volumetric attacks that exceed link capacity.

Can Flowtriq automatically mitigate DDoS attacks?

Yes. Flowtriq provides a 4-tier auto-escalation chain that moves from local iptables filtering through FlowSpec, RTBH, and cloud scrubbing without manual intervention. Each tier is configurable through runbooks, and operators can set thresholds for when escalation occurs. The system supports 8 BGP adapters and 6+ cloud scrubbing providers for flexible mitigation paths.

The Detection Gap

Your DDoS tool sees the attack. Then what?

Q: What is the difference between DDoS detection and DDoS mitigation?

DDoS detection identifies that an attack is happening, typically by analyzing traffic patterns and comparing them to baselines. DDoS mitigation is the act of stopping or reducing the impact of that attack, through methods like local filtering, FlowSpec rules, remotely triggered blackholing (RTBH), or upstream scrubbing. Many tools only handle detection and leave mitigation as a manual process.

Q: Why do most DDoS tools only detect and not mitigate?

Detection is a single-system problem: you analyze traffic and raise an alert. Mitigation requires integration with routers, firewalls, BGP speakers, and upstream scrubbing providers. Building those integrations across different vendors and environments is significantly harder, so many tools stop at the detection boundary and rely on operators to take manual action.

Most tools stop at the alert. They tell you something is wrong and leave you staring at a dashboard at 3 AM trying to remember which router to SSH into. Detection without mitigation is just a more expensive way to watch yourself get hit.

Start Free Trial → ← All Problems

"If it had an actionable piece to it... you need to find a way to make it actionable because if you could actually mitigate, it'd be huge." Network Engineer, DDoS Tool Review

"Once the anomaly is detected, that's great, but then you have to mitigate." Infrastructure Lead, PeerSpot

"We have to have some sort of DDoS mitigation... once the anomaly is detected." Network Operations Manager, Gartner Peer Insights

The tool detected the attack perfectly. Then did absolutely nothing about it. Very helpful.

See the full comic

The problem

Why detection alone is not enough

Getting an alert that you are under attack is step one. But if every alert requires a human to log in, diagnose, and manually push mitigation rules, you have a process that is measured in minutes when the damage happens in seconds.

Alert fatigue kills response time

When every detection event generates an alert that requires manual action, operators start ignoring them. The tenth Slack notification this week about a volumetric spike gets the same response as the first: someone will look at it eventually. By then, the attack has already saturated the link.

Manual response does not scale

SSHing into a router, identifying the attack vector, writing the right filter rule, testing it, pushing it to production. That process takes 10-30 minutes for an experienced engineer. Most DDoS attacks cause significant damage in under 60 seconds. Manual response simply cannot keep pace.

Detection and mitigation are separate products

Many vendors sell detection as one product and mitigation as another. Or they detect at the flow level but require a separate inline appliance to actually block traffic. The result is two tools, two budgets, two configurations, and a gap between them where attacks cause damage.

Open-source tools lack the response layer

Threshold-based detection tools can identify anomalies and send alerts, but the mitigation step is left to custom scripts. You end up writing and maintaining fragile shell scripts that call BGP daemons, and hoping they work correctly at 2 AM when the next attack lands.

The solution

4-tier auto-escalation: detect once, mitigate automatically

Instead of generating an alert and walking away, Flowtriq runs through an escalation chain that matches the severity of the attack to the right mitigation response. Each tier activates automatically if the previous tier does not resolve the attack.

Tier 1 - Immediate

Local iptables filtering

The agent applies targeted iptables rules directly on the server within seconds of detection. This handles small-to-medium attacks without involving any upstream infrastructure. Rules are specific to the attack vector, not blanket blocks.

Attack persists or exceeds local capacity

Tier 2 - Upstream filtering

FlowSpec rules via BGP

Flowtriq pushes FlowSpec rules to your upstream routers through any of 8 supported BGP adapters (ExaBGP, GoBGP, BIRD 2, FRR, and more). Traffic is filtered at the network edge before it reaches the server, offloading the attack from your infrastructure.

Attack exceeds what FlowSpec can handle

Tier 3 - Network-level blackhole

Remotely Triggered Blackhole (RTBH)

For severe attacks, Flowtriq signals your upstream provider to blackhole the target IP at the routing level. This sacrifices reachability for the target but protects the rest of your network from collateral damage. RTBH activates and deactivates automatically.

Volumetric attack exceeds link capacity

Tier 4 - Cloud scrubbing

Upstream scrubbing center

Traffic is redirected to a cloud scrubbing provider for volumetric attacks that exceed your link capacity. Flowtriq integrates with Cloudflare Magic Transit, OVH, Hetzner, DigitalOcean, Vultr, Linode, and more. Clean traffic is returned to your origin.

How it works in practice

Runbooks turn detection into action

The escalation chain is configured through runbooks. A runbook defines exactly what happens when an attack is detected: which tiers to activate, what thresholds trigger escalation, which alert channels fire at each stage, and when to automatically de-escalate. You define the playbook once and the system executes it every time.

This matters because the alternative is a wiki page or a Google Doc that an on-call engineer has to find and follow at 3 AM. Runbooks encode that institutional knowledge into the system itself, so the response is consistent whether your senior network engineer is on call or your most junior team member.

Every mitigation action is logged with full context: what was detected, which tier responded, what rules were applied, and when they were removed. After the attack, you have a complete audit trail without anyone needing to take notes during the incident.

Detection to mitigation in 1-2 seconds

Flowtriq detects attacks using sliding-window p99 baselines and begins Tier 1 mitigation within 1-2 seconds. There is no gap between "we know" and "we are doing something about it." The agent captures PCAPs automatically with a ring buffer, so forensic data is preserved from the first packet.

Alerts at every stage, not just detection

Most tools send one alert: "attack detected." Flowtriq sends contextual notifications at each escalation tier. You get told what is happening and what the system is doing about it, through Slack, Discord, PagerDuty, OpsGenie, Telegram, SMS, email, Teams, or webhooks.

Where we're still improving

Working with more scrubbing partners to add one-click upstream mitigation for additional providers. If your provider is not on the list yet, the webhook adapter lets you integrate with any API-based service today.

Detect, escalate, mitigate, notify. In that order. Automatically. Under 2 seconds.

See the full comic

Frequently asked questions

DDoS detection vs. mitigation: FAQ

What is the difference between DDoS detection and DDoS mitigation?

Detection identifies that an attack is happening by analyzing traffic patterns. Mitigation is the act of stopping it, through filtering, blackholing, or scrubbing. Many tools handle detection well but leave mitigation entirely to the operator, which creates a gap where attacks cause damage while humans scramble to respond.

Why do most DDoS tools only detect and not mitigate?

Detection is a single-system problem. Mitigation requires integration with routers, firewalls, BGP speakers, and scrubbing providers across different vendors and environments. Building and maintaining those integrations is significantly harder, so many tools stop at the detection boundary.

Can I use Flowtriq for detection only if I want to mitigate manually?

Yes. The escalation chain is configurable through runbooks. You can set Flowtriq to detect and alert without taking any automatic mitigation action. Many teams start this way, review the detection accuracy for a few weeks, and then enable auto-escalation once they trust the baselines.

What BGP speakers does Flowtriq work with for FlowSpec and RTBH?

Flowtriq supports 8 BGP adapters: ExaBGP, GoBGP, BIRD 2, FRR, Cloudflare, Radware, F5, and a generic webhook adapter for anything else. If your BGP setup is not on that list, the webhook adapter lets you integrate with any system that accepts HTTP calls.

How fast does Flowtriq mitigate once an attack is detected?

Local iptables filtering (Tier 1) activates within 1-2 seconds of detection. FlowSpec and RTBH (Tiers 2 and 3) depend on BGP propagation times, typically a few seconds. Cloud scrubbing (Tier 4) depends on the provider but is initiated automatically the moment the escalation threshold is met.