NetDeflect is an advanced DDoS mitigation and detection tool for Linux-based systems. It captures, analyzes, and classifies traffic in real-time, blocks malicious IPs based on attack signatures, provides live metrics, and sends Discord webhook alerts to keep you informed of any attacks.
Demo Video
BitLonger.mp4
Unknown Attack Detection
PacketDTC.mp4
- 📊 Live Network Monitoring: Real-time PPS, MB/s, and CPU tracking.
- 🚨 Intelligent Detection: Identifies DDoS attacks using known protocol signatures, flags, and automatically detects new attack patterns.
- 🔥 Comprehensive Mitigation: Blocks offending IPs using
iptables,ipset,ufw, or blackhole routing. - 🔍 Advanced Traffic Analysis: Uses
tcpdumpandtsharkto capture and inspect attack patterns with automatic pattern detection. - 📁 Organized Reports: Stores pcap captures and detailed analysis logs for every incident.
- 📡 Discord Webhook Integration: Sends detailed alerts with attack stats, mitigation results, and summaries.
- 🔄 Self-Updating: Notifies you when a new version is available on GitHub.
- 🌐 External API Integration: Connect to external firewall services and security tools via configurable API endpoints.
- 🧠 Auto-Pattern Detection: Identifies and learns new attack patterns automatically.
- Linux (Debian-based preferred)
- Python 3
- Packages:
tcpdump,tshark - Firewall:
iptables,ipset(optional) - PIP packages:
psutil,requests
(as root)
Ideally in a screen or tmux session:
apt install tcpdump tshark -y
git clone https://github.com/0vm/NetDeflect
cd NetDeflect
pip install psutil requests
python3 netdeflect.pyOn first run, a settings.ini file and a notification_template.json will be created with defaults.
Your Discord webhook should be added to the settings.ini file.
The notification_template.json defines the Discord embed layout and can be fully customized.
-
Advanced Mitigation Settings:
enable_fallback_blocking: Control whether to block IPs when no specific attack signature is identified.block_other_attack_contributors: Block top traffic contributors for unclassified attack types.enable_pattern_detection: Automatically detect and identify common attack patterns.block_autodetected_patterns: Choose whether to block IPs using newly detected patterns.contributor_threshold: Minimum traffic percentage to consider an IP as malicious.max_pcap_files: Control how many PCAP files to retain for historical analysis.
-
External Firewall API Integration:
- Connect to external security services with comprehensive configuration options.
- Multiple authentication methods: bearer token, basic auth, header-based.
- Flexible request formatting with customizable templates.
- Batch processing options for efficient IP submission.
NetDeflect v2.0 uses a multi-layered approach to detect attacks:
- Signature-based Detection: Matches traffic against known attack patterns.
- Volume-based Detection: Monitors traffic thresholds (PPS, MB/s).
- Automatic Pattern Discovery: Identifies new attack patterns by analyzing traffic behavior.
- Contributor Analysis: Identifies IPs contributing abnormally high traffic volumes.
Attack signatures are categorized into three types:
- Spoofed IP Attacks: Reflection and amplification attacks with spoofed source IPs.
- Valid IP Attacks: Direct attacks where the source IP is legitimate.
- Other Attacks: Specialized attack types that require custom handling.
netdeflect.py
settings.ini
notification_template.json
methods.json
./application_data/
├── captures/ ← Raw .pcap traffic captures
├── ips/ ← IPs identified during attacks
├── attack_analysis/ ← Detailed reports of each attack
├── new_detected_methods.json ← Auto-detected attack patterns
Sends alerts to Discord with enhanced information:
- PPS & Mbps before mitigation
- Blocked IP count
- Attack vector and category
- Mitigation status
- Blocking strategy used
NetDeflect v2.0 can integrate with external security services:
- Send blocked IPs to third-party firewalls or security services
- Multiple sending modes: single, batch, or all IPs at once
- Customizable request formatting
- Support for various authentication methods
Example configuration:
[external_firewall]
enable_api_integration=True
api_endpoint=https://api.example.com/firewall/block
auth_method=bearer
auth_token=your_api_token_here
sending_mode=batch
max_ips_per_batch=10The new pattern detection system automatically:
- Analyzes traffic patterns during attacks
- Identifies common hex patterns across multiple sources
- Creates and saves new attack signatures
- Optionally blocks IPs using these new patterns
This enables NetDeflect to learn and adapt to new attacks without manual intervention.
Make sure to remove the services you use from methods.json, such as removing specific TCP flags or removing HTTP/1 reflection if you run a webserver.
If you do encounter any issues, debug has been left on, open an issue with as much info as you can.
If you have any suggestions, please feel free to open an issue!
Remove all IP's from blackhole with the the script below:
#!/bin/bash
# Remove all blackholed IP routes
echo "Removing all blackhole routes..."
ip route show | grep blackhole | awk '{print $2}' | while read ip; do
echo "Removing blackhole for $ip"
sudo ip route del blackhole "$ip"
done
echo "Done."Security: DDoS protection, network security, intrusion detection, attack mitigation, ddos mitigation, traffic analysis
Technologies: Python, iptables, blackhole routing, tcpdump, tshark, ipset, ufw
Attack Types: reflection attacks, amplification attacks, SYN floods, UDP floods, TCP abuse
Features: real-time monitoring, auto-detection, pattern recognition, Discord webhooks, API integration