Use Case
DDoS Protection Built for
VoIP & Cloud Calling
Your customers depend on always-on voice service. When a DDoS attack hits your SIP trunks or media gateways, calls drop, queues fail, and your SLA clock starts ticking. Flowtriq detects SIP/RTP-targeted attacks in under 1 second and auto-mitigates before a single call drops.
The Problem
VoIP infrastructure is the highest-value DDoS target in telecom
Your SIP signalling servers and media gateways are centralized chokepoints. A single flood targeting port 5060 takes down registrations for your entire customer base. RTP disruption degrades call quality across every active session. Attackers know this, and they exploit it with extortion demands backed by sustained TDoS campaigns.
The attack surface is wide: SIP registration floods, INVITE storms, RTP media saturation, UDP reflection amplification, and targeted extortion attacks demanding crypto payment in exchange for stopping the flood. Each one hits differently, and generic DDoS solutions that lack protocol awareness miss the early warning signs.
Meanwhile, every second of downtime means dropped calls, failed queue handoffs, broken IVR flows, and SLA violations that trigger contractual penalties. Your customers do not wait for a post-mortem. They port their numbers to a competitor while your NOC is still triaging the incident.
09:31:04 Registration queue saturated
09:31:08 New registrations failing
09:31:15 RTP media ports flooded :10000-20000
09:31:22 Active calls dropping, MOS < 1.0
09:31:30 Call queues overflowing
09:32:00 Customer PBX unreachable
09:35:00 NOC begins manual investigation
09:42:00 Upstream null route applied
09:42:00 Total downtime: 11 minutes
Calls dropped: 847
SLA breaches: 3 customers
Extortion email received: $5,000 BTC
How Flowtriq Helps
Detect SIP/RTP attacks in under a second, mitigate without dropping a single call
The FTAgent runs on each SIP server, SBC, and media gateway in your infrastructure, sampling kernel-level network statistics every second. When traffic on SIP or RTP ports crosses dynamic thresholds, the agent opens an incident, classifies the attack type, and applies port-specific nftables rules that drop attack traffic while legitimate SIP from known peers continues flowing.
Mitigation is surgical. Attack traffic is dropped at the kernel level before it reaches your SIP stack. Active calls on RTP media ports remain unaffected because rules target attack sources, not your service ports. When the attack subsides, rules are automatically withdrawn so no manual cleanup is needed.
Your NOC sees every node, every incident, and every mitigation action in a single dashboard. Per-port traffic analysis shows exactly which services are being targeted. PagerDuty integration pages your on-call engineer for critical incidents while routine attacks are handled entirely by automation.
09:31:01 PPS=74,800 BPS=1.8Gbps THRESHOLD
T+0.1s Incident opened · UDP Flood:5060 · 96%
T+0.2s Port analysis · SIP signalling targeted
T+0.4s Auto-mitigation · nftables rules applied
T+0.5s Alerts fired · PagerDuty · Slack
09:31:02 PPS=4,380 BPS=19Mbps MITIGATED
09:31:02 SIP registrations · processing normally
09:31:02 Active calls · 0 dropped
09:44:00 Attack subsides · rules withdrawn
Downtime: 0 seconds
Calls dropped: 0
_
Key Features
Purpose-built for voice infrastructure
SIP/RTP-aware detection
Per-port traffic analysis identifies attacks targeting SIP signalling (5060/5061) and RTP media ranges separately from general volumetric floods. The system knows when your voice infrastructure is under fire and classifies attacks with protocol-level context.
Per-port traffic analysis
See traffic breakdowns by destination port across every node. Identify which services are being targeted, spot anomalous traffic on SIP, RTP, or management ports, and correlate port-level data with attack incidents for faster root-cause analysis.
Auto-mitigation
When an attack is detected, Flowtriq's multi-level escalation chain activates. Kernel-level nftables rules drop attack traffic instantly. If the attack exceeds local capacity, BGP FlowSpec filters traffic at the network edge. Rules auto-withdraw when the attack ends at every level.
BGP FlowSpec integration
For volumetric attacks that exceed your local link capacity, Flowtriq pushes FlowSpec rules to your upstream routers to filter traffic at the network edge. Traffic never reaches your SIP servers in the first place, preserving bandwidth for legitimate call traffic.
Media gateway monitoring
Deploy the agent on every media gateway, SBC, and SIP proxy in your infrastructure. Monitor each one independently with its own baseline and threshold profile. An attack on one gateway does not affect detection or mitigation on any other.
Call quality correlation
Correlate network traffic anomalies with call quality degradation. When PPS or BPS spikes coincide with increased jitter, packet loss, or MOS drops, Flowtriq flags the event so your NOC can distinguish between capacity issues and active attacks.
PCAP with SIP analysis
Every incident includes a full packet capture starting from pre-attack traffic. Download PCAPs containing SIP headers and RTP streams for forensic analysis, share them with upstream providers for abuse reports, or use them to document extortion attempts for law enforcement.
Multi-site monitoring
Monitor SIP infrastructure across multiple datacenters and Points of Presence from a single dashboard. Group nodes by site, role (SBC, PBX, media gateway), or customer. Spot coordinated attacks that target multiple sites simultaneously.
Alerting & NOC integration
Route alerts to PagerDuty for on-call engineers, Slack for NOC channels, email for management summaries, and webhooks for custom integrations. Escalation policies ensure critical SIP outages wake up the right person at 3 AM.
API & automation
Integrate Flowtriq into your provisioning pipeline with the REST API. Automatically register new SIP servers when they come online, pull incident data into your billing system for SLA reporting, and export metrics to Prometheus for custom Grafana dashboards.
Getting Started
Protect your voice infrastructure in minutes
Deploying Flowtriq across your SIP infrastructure takes less time than handling a single extortion attack. Here is how it works from signup to full coverage.
Create your workspace
Sign up at flowtriq.com and create a workspace for your VoIP operation. Add your NOC team with admin access. The 7-day free trial starts immediately with no credit card required.
Install the FTAgent on each SIP server
The agent installs with pip install ftagent and runs as a lightweight systemd service. Deploy it on your SBCs, PBX servers, media gateways, and SIP proxies. Use Ansible or your existing config management to roll it out across your fleet.
Configure alert channels
Connect Flowtriq to PagerDuty for on-call pages, Slack for NOC visibility, and email for management reports. Set escalation policies so SIP-targeted attacks get immediate attention while routine events are handled by automation.
Enable auto-mitigation
Define mitigation policies for your voice nodes. Configure which attack types trigger automatic firewall rules, set how long rules persist after an attack ends, and choose your escalation chain (local firewall, FlowSpec, cloud scrubbing).
Monitor and tune
Within hours, Flowtriq learns your normal call traffic baselines, including daily peaks and off-hours patterns. Review per-port analytics to understand traffic distribution across SIP and RTP ports, and tune thresholds for your specific call volumes.
By the Numbers
The impact on your voice operations
Before & After
How Flowtriq transforms your DDoS response
Without Flowtriq
- SIP floods detected minutes after calls start dropping
- NOC scrambles to identify attack vector and target
- Entire customer base affected by single chokepoint hit
- Manual null routes kill legitimate SIP traffic too
- Extortion demands met with no defense strategy
- SLA violations trigger contractual penalties
- Customers port numbers to competitors during outage
With Flowtriq
- Detection in under 1 second, before calls degrade
- Automatic attack classification with port-level context
- Per-node mitigation isolates blast radius to one gateway
- Surgical rules drop attack traffic, SIP peers unaffected
- Extortion attacks mitigated automatically on repeat
- SLA uptime maintained through sustained attacks
- Full PCAP evidence for law enforcement and insurers
Pricing
Simple per-node pricing. No surprises.
Unlimited team seats included. Monitor every SBC, PBX, and media gateway at the same price per node. No bandwidth fees, no overage charges, no contracts. Cancel anytime. Flow sources (sFlow/NetFlow/IPFIX from routers) available from $19/source/month with volume discounts.
Compatibility
Works with your existing voice stack
The FTAgent runs on any Linux server with kernel 3.10 or later. It supports all major distributions including Ubuntu, Debian, CentOS, Rocky Linux, AlmaLinux, and Fedora. Whether your SIP infrastructure runs on bare-metal servers, cloud VMs, or containerized deployments, the agent works the same way.
Install it alongside Asterisk, FreeSWITCH, Kamailio, OpenSIPS, or any SBC platform. The agent reads kernel-level network statistics and does not interact with your SIP application layer, so there is zero risk of interfering with call processing or registration handling.
Flowtriq integrates with your existing monitoring. Export incident data via webhooks to your NOC ticketing system. Use the REST API to automate node provisioning when new gateways come online. Pull metrics into Grafana or your SIEM for unified visibility.
• Ubuntu 18.04, 20.04, 22.04, 24.04
• Debian 10, 11, 12
• CentOS 7, 8, 9 Stream
• Rocky Linux 8, 9
• AlmaLinux 8, 9
Firewalls
• iptables / ip6tables
• nftables
• ufw (Uncomplicated Firewall)
VoIP Platforms
• Asterisk / FreePBX
• FreeSWITCH / FusionPBX
• Kamailio / OpenSIPS
• Any Linux-based SBC
FAQ
Common questions from VoIP providers
Can Flowtriq distinguish between a traffic spike from legitimate call volume and a DDoS attack?
Yes. Flowtriq builds dynamic baselines that learn your normal call traffic patterns, including daily peaks, seasonal surges, and marketing-driven spikes. Detection triggers only when traffic deviates from your established baseline in ways consistent with attack signatures, not legitimate volume growth.
Does it support SIP-specific detection?
Flowtriq detects at the network layer, which is where SIP floods, UDP floods targeting SIP ports, and volumetric attacks all manifest. Port-level traffic analysis identifies attacks targeting 5060/5061 specifically, so the system knows when your signalling infrastructure is under fire versus a general volumetric flood.
Will mitigation rules block legitimate SIP traffic?
No. Mitigation is based on attack classification and source profiling, not blanket port blocking. Legitimate SIP traffic from known peers, registered endpoints, and carrier interconnects continues flowing normally while attack traffic is dropped at the kernel level.
Can I monitor multiple PBX, SBC, and gateway servers?
Yes. Deploy the FTAgent on every server in your voice infrastructure and monitor them all from a single dashboard. Group nodes by site, role, or customer. Each node runs independent detection so an attack on one gateway does not affect monitoring on another.
Related Use Cases
Flowtriq for infrastructure providers
Schedule a Fit Assessment
30-minute call to discuss your specific setup and see if Flowtriq is the right fit. No sales pressure.
Book a CallGet the Implementation Guide
Step-by-step deployment guide tailored to your use case. Sent straight to your inbox.