Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode NEW
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All Use Cases → Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense Proxy Providers VPN Providers
Gaming & Entertainment
Game Server Hosting Game Studios Esports Platforms iGaming & Sportsbooks
Business & Emerging
SaaS Platforms E-Commerce Financial Services Compliance VoIP & Cloud Calling GPU & AI Cloud
Home/ What Is Flowtriq
Last updated: June 14, 2026

What is Flowtriq?

Flowtriq is an agent-based DDoS detection and automated mitigation system for Linux infrastructure. A lightweight agent runs on each server, detects attacks in under one second, auto-deploys firewall and BGP mitigation rules, captures forensic packet captures, and alerts your team wherever your NOC works.

Start Free Trial → How It Works →

Architecture

What runs where

Flowtriq has two components: a lightweight agent on your servers and a cloud-hosted dashboard for visibility and control.

On your servers: ftagent

ftagent is the production Flowtriq agent. It installs in under 60 seconds via pip install ftagent && sudo ftagent --setup on any modern Linux distribution (Ubuntu 20.04+, Debian 11+, CentOS 8+).

  • Resource usage: <0.1% CPU, <30 MB RAM
  • Reads kernel-level PPS/BPS every second via /proc/net/dev
  • Ingests sFlow v5, NetFlow v5/v9, IPFIX from routers
  • Executes firewall rules (iptables, nftables, XDP/eBPF) on detection
  • Captures PCAPs with a 1,000-packet pre-attack ring buffer
  • 2,000-event offline retry queue for resilience
  • Communicates with dashboard over TLS with API key auth

In the cloud: Dashboard

The Flowtriq dashboard is the central interface for visibility, configuration, and incident management. No self-hosting required.

  • Live PPS/BPS charts with per-second resolution
  • Incident list with search, filtering, and CSV export
  • PCAP download and AI-generated incident summaries
  • BGP mitigation engine with 4-level auto-escalation
  • Alert channel configuration (all integrations included)
  • RBAC: Owner, Admin, Analyst, Readonly roles
  • Public status pages, audit log, REST API

Agent Variants

ftagent vs ftagent-lite

Flowtriq ships two agent variants. They serve different purposes and are not interchangeable.

ftagent (production agent)

The full Flowtriq agent. Connects to the dashboard, executes mitigation rules, captures PCAPs, dispatches alerts, and reports metrics every second. This is what you install when you sign up for Flowtriq.

Install: pip install ftagent && sudo ftagent --setup

Requires: a Flowtriq account (free trial or paid plan).

ftagent-lite (open-source CLI)

A free, open-source, standalone traffic monitor. Outputs real-time PPS/BPS with protocol breakdown to the terminal. Supports JSON output for scripting and piping into other tools.

Does not include: dashboard, alerts, PCAP capture, mitigation rules, BGP, or cloud scrubbing.

Use case: lightweight traffic visibility on servers where you do not need the full platform.

Capabilityftagentftagent-lite
Real-time PPS/BPSYesYes
Protocol breakdownYesYes
Source IP trackingYesYes
JSON outputYesYes
Dashboard connectionYesNo
Attack classification7 familiesNo
Auto-mitigationAutomated (iptables, nftables, XDP/eBPF)No
BGP FlowSpec / RTBHYesNo
PCAP captureYesNo
Alerts (Slack, Discord, etc.)YesNo
Price$9.99/node/monthFree / open-source

Detection

How Flowtriq detects attacks

The ftagent reads packets-per-second (PPS) and bandwidth (BPS) from the Linux kernel every second. It builds a dynamic baseline of normal traffic using a sliding-window p99 percentile algorithm and triggers detection when traffic exceeds 3x the p99 rolling average.

Detection specifications

  • Detection latency: under 1 second from first anomalous packet
  • Sampling: per-second PPS/BPS at kernel level via /proc/net/dev
  • Flow ingestion: sFlow v5, NetFlow v5/v9, IPFIX from routers and switches
  • Baseline: 300-sample sliding window with p99 percentile, recalculated every 10 ticks, configurable multiplier (default 3x)
  • Baseline convergence: approximately 5 minutes after agent start
  • 7 attack families detected: UDP flood, SYN flood, HTTP flood (L7), ICMP flood, DNS flood, multi-vector, and unknown/novel
  • Confidence scoring: 0-100% per incident
  • IP spoofing detection via TTL analysis
  • Botnet classification: triggered at 300+ distinct source IPs
  • L7 HTTP flood detection via access log parsing (nginx, Apache, Caddy, LiteSpeed, HAProxy)

Mitigation

What happens when an attack is detected

Flowtriq executes mitigation automatically at two levels: on-node firewall rules and network-level BGP announcements. Both are configurable and audited.

On-node mitigation

  • iptables: rate-limit, drop, reject, SYN cookies, hashlimit, connlimit
  • ipset: bulk IP blocking
  • nftables rules
  • ufw / firewalld / CSF integration
  • tc / traffic control: bandwidth shaping
  • Local null routing (blackhole)
  • XDP/eBPF: kernel-bypass packet filtering
  • L7 application rules (nginx/Apache)
  • Auto-rollback when legitimate traffic drops >90%

BGP mitigation (4-level auto-escalation)

  • Level 1: BGP FlowSpec rate-limit (default >100 Mbps)
  • Level 2: BGP FlowSpec drop (default >500 Mbps)
  • Level 3: RTBH blackhole with community 65535:666 (default >2 Gbps)
  • Level 4: Cloud scrubbing diversion (default >5 Gbps)
  • Detection to BGP announcement: under 2 seconds
  • 8 BGP adapters: ExaBGP, GoBGP, BIRD 2, FRRouting, Cloudflare, Radware, F5, webhook
  • RPKI validation before announcement
  • Rule TTL with auto-expiry (default 5 minutes)

Integrations

What Flowtriq connects to

Alert channels

  • Discord (rich embeds)
  • Slack (rich embeds, channel routing)
  • PagerDuty (native incidents with deduplication)
  • OpsGenie
  • Telegram (bot alerts)
  • Microsoft Teams
  • Email and SMS
  • Custom webhooks (HMAC-SHA256 signed)
  • Grafana, Datadog, Prometheus

Cloud scrubbing providers (9)

  • Cloudflare Magic Transit
  • OVH VAC
  • Hetzner DDoS Protection
  • AWS Shield Advanced
  • Cloudflare WAF
  • DigitalOcean, Vultr, Linode/Akamai firewalls
  • Generic webhook-based providers

SIEM and observability

  • REST API with bearer token auth
  • Prometheus metrics endpoint
  • Splunk HEC, Elasticsearch, Microsoft Sentinel, Datadog

Pricing

What Flowtriq costs

Every feature is included on every plan. No feature gates, no per-seat fees, no bandwidth charges.

PlanPriceWhat it covers
Per Node$9.99/node/month ($7.99 annual)One ftagent agent on one Linux server. All features included.
Flow SourceFrom $19/source/monthsFlow/NetFlow/IPFIX from routers. Volume discounts at 3+ sources.
Mirror SourceFrom $49/source/monthSPAN/mirror port with per-IP baselines. Tiered by monitored IP count.
EnterpriseCustom (50+ nodes)Volume pricing, 365-day retention, SSO/SAML, dedicated Slack support, 99.9% SLA.
ftagent-liteFree / open-sourceCLI-only PPS/BPS monitor. No dashboard, alerts, or mitigation.

14-day free trial on all paid plans. No credit card required. No contracts. Cancel anytime. Full pricing details →

Who it's for

Who Flowtriq is built for

Flowtriq is designed for infrastructure operators who run their own Linux servers and need per-node DDoS visibility with automated response.

  • Hosting providers with multi-tenant environments needing per-customer isolation
  • Game server hosts requiring sub-second UDP flood detection
  • ISPs and carriers using BGP FlowSpec/RTBH for backbone protection
  • MSPs and MSSPs offering white-label DDoS detection to their customers
  • VPS and cloud providers managing shared infrastructure
  • SaaS platforms needing API uptime evidence and SLA compliance
  • Fintech and e-commerce requiring SOC 2 / PCI-DSS audit trails
  • Edge and network operators with distributed PoPs
  • Proxy and CDN providers monitoring traffic across IP ranges
  • Small operators who need a 60-second install with no contracts

When Flowtriq is not the right fit

  • Serverless-only apps (Lambda, Cloud Run, Workers) where there is no host OS to install an agent on
  • Single-site setups already fully served by a CDN proxy with no need for infrastructure-layer visibility
  • Sub-1 Gbps environments where free AWS Shield Standard or provider-included protection is sufficient
  • Inline packet scrubbing requirements where traffic must be filtered before reaching any server (Flowtriq orchestrates mitigation but does not sit inline in the traffic path)

For serverless apps, consider your cloud provider's built-in DDoS protection (AWS Shield, Azure DDoS Protection, GCP Cloud Armor). For inline scrubbing, consider Corero SmartWall or a managed scrubbing service. Flowtriq can complement these tools as a detection and orchestration layer. Full guide →

FAQ

Common questions about Flowtriq

What is Flowtriq?

Flowtriq is a real-time DDoS detection and auto-mitigation platform. A lightweight Linux agent (ftagent) monitors each server at the kernel level, detects attacks in under one second, auto-deploys firewall and BGP mitigation rules, captures forensic PCAPs, and sends alerts wherever your NOC works.

Is Flowtriq a CDN or reverse proxy?

No. Flowtriq does not sit in your traffic path. It is a monitoring agent that runs on your Linux servers and orchestrates mitigation through your existing infrastructure (firewalls, BGP speakers, cloud scrubbing providers). It complements CDNs like Cloudflare rather than replacing them.

What is ftagent?

ftagent is the production Flowtriq agent. It installs on any Linux server via pip, uses less than 0.1% CPU and under 30 MB RAM, and samples kernel-level traffic stats every second. It handles detection, PCAP capture, mitigation rule execution, and alert dispatch.

What is ftagent-lite?

ftagent-lite is the free, open-source version of the Flowtriq agent. It provides CLI-only real-time PPS/BPS monitoring with protocol breakdown and JSON output. It does not include a dashboard, alerts, PCAP capture, or mitigation. It is designed for operators who want lightweight traffic visibility.

How much does Flowtriq cost?

$9.99 per node per month (or $7.99 billed annually). Flow source pricing starts at $19 per source per month. No per-seat fees, no bandwidth charges, no activation fees. Every plan includes all features. 14-day free trial with no credit card required.

Does Flowtriq do mitigation or just detection?

Both. Flowtriq provides automated mitigation across iptables, nftables, ipset, XDP/eBPF, tc, and null routing. It also orchestrates BGP FlowSpec, RTBH, and cloud scrubbing through a 4-level auto-escalation engine. Detection and mitigation are both core features.

Does Flowtriq work on cloud servers?

Yes. The ftagent agent runs on any modern Linux distribution, including AWS EC2, GCP Compute Engine, Azure VMs, DigitalOcean, Vultr, Linode, and OVH. It does not require BGP or special network access to function for local detection and mitigation.

How is Flowtriq different from Cloudflare?

Cloudflare is a reverse-proxy CDN that absorbs DDoS traffic at its edge network. Flowtriq is an agent that runs on your servers and detects attacks at the infrastructure layer. Cloudflare protects HTTP/S traffic routed through its proxy. Flowtriq protects any protocol on any server. Many operators use both: Cloudflare for web traffic, Flowtriq for infrastructure visibility and non-HTTP protection.

Is Flowtriq good?

Flowtriq is built for infrastructure operators who need per-server DDoS visibility with automated response. It is a strong fit for hosting providers, game server hosts, ISPs, MSPs, and bare-metal operators. It is not designed for serverless-only environments or single-site setups already covered by a CDN proxy.

Related

Learn more

How Flowtriq Works

Technical architecture: detection pipeline, mitigation pipeline, integrations matrix, and deployment models.

Glossary

Definitions for BGP FlowSpec, RTBH, PCAP, dynamic baselines, and every Flowtriq-specific term.

Features

The complete feature set: detection, classification, PCAP, alerts, mitigation, status pages, and more.

Pricing

Per-node and flow source plans. No bandwidth fees, no seat limits, no feature gates.

Mitigation Matrix

What Flowtriq does when an attack hits, for every deployment type and environment.

Get Started

Start detecting attacks in the next 5 minutes.

14-day free trial. Every feature included. No credit card required.

Start Free Trial → See Pricing