GitPedia

NetDeflect

Easy to use DDoS mitigation with real-time traffic analysis, automatic attack pattern detection, IP blocking via iptables/blackhole routing, and Discord alerts. Detects and mitigates network floods, reflection attacks, and protocol abuse.

From 0vmยทUpdated June 12, 2026ยทView on GitHubยท

**NetDeflect** is an advanced DDoS mitigation and detection tool for Linux-based systems. It captures, analyzes, and classifies traffic in real-time, blocks malicious IPs based on attack signatures, provides live metrics, and sends Discord webhook alerts to keep you informed of any attacks. The project is written primarily in Python, first published in 2025. Key topics include: anti-ddos, auto-detection, cybersecurity, ddos, ddos-attack.

Latest release: v2.0โ€” NetDeflect v2.0
April 9, 2025View Changelog โ†’

NetDeflect DDoS Mitigation v2.0

NetDeflect is an advanced DDoS mitigation and detection tool for Linux-based systems. It captures, analyzes, and classifies traffic in real-time, blocks malicious IPs based on attack signatures, provides live metrics, and sends Discord webhook alerts to keep you informed of any attacks.

๐Ÿ“ฝ๏ธ Demo

quickdemo

<details> <summary>Demo Video</summary>

https://github.com/user-attachments/assets/2fb581f6-7f8b-4200-8feb-82b43949c464

</details> <details> <summary>Unknown Attack Detection</summary>

https://github.com/user-attachments/assets/7f1beb7a-cab0-4565-b881-c19d3e40dd83

</details>

โœจ Features

  • ๐Ÿ“Š Live Network Monitoring: Real-time PPS, MB/s, and CPU tracking.
  • ๐Ÿšจ Intelligent Detection: Identifies DDoS attacks using known protocol signatures, flags, and automatically detects new attack patterns.
  • ๐Ÿ”ฅ Comprehensive Mitigation: Blocks offending IPs using iptables, ipset, ufw, or blackhole routing.
  • ๐Ÿ” Advanced Traffic Analysis: Uses tcpdump and tshark to capture and inspect attack patterns with automatic pattern detection.
  • ๐Ÿ“ Organized Reports: Stores pcap captures and detailed analysis logs for every incident.
  • ๐Ÿ“ก Discord Webhook Integration: Sends detailed alerts with attack stats, mitigation results, and summaries.
  • ๐Ÿ”„ Self-Updating: Notifies you when a new version is available on GitHub.
  • ๐ŸŒ External API Integration: Connect to external firewall services and security tools via configurable API endpoints.
  • ๐Ÿง  Auto-Pattern Detection: Identifies and learns new attack patterns automatically.

๐Ÿ›  Requirements

  • Linux (Debian-based preferred)
  • Python 3
  • Packages: tcpdump, tshark
  • Firewall: iptables, ipset (optional)
  • PIP packages: psutil, requests

๐Ÿš€ Installation

(as root)

Ideally in a screen or tmux session:

bash
apt install tcpdump tshark -y

git clone https://github.com/0vm/NetDeflect
cd NetDeflect

pip install psutil requests

python3 netdeflect.py

On first use, you will need to run netdeflect.py several times to complete setup.

For CentOS 7 please check: https://github.com/0vm/NetDeflect/issues/10

โš™๏ธ Configuration

On first run, a settings.ini file and a notification_template.json will be created with defaults.

Your Discord webhook should be added to the settings.ini file.

The notification_template.json defines the Discord embed layout and can be fully customized.

New Configuration Options in v2.0:

  • Advanced Mitigation Settings:

    • enable_fallback_blocking: Control whether to block IPs when no specific attack signature is identified.
    • block_other_attack_contributors: Block top traffic contributors for unclassified attack types.
    • enable_pattern_detection: Automatically detect and identify common attack patterns.
    • block_autodetected_patterns: Choose whether to block IPs using newly detected patterns.
    • contributor_threshold: Minimum traffic percentage to consider an IP as malicious.
    • max_pcap_files: Control how many PCAP files to retain for historical analysis.

  • External Firewall API Integration:

    • Connect to external security services with comprehensive configuration options.
    • Multiple authentication methods: bearer token, basic auth, header-based.
    • Flexible request formatting with customizable templates.
    • Batch processing options for efficient IP submission.

๐Ÿง  Attack Detection Methodology

NetDeflect v2.0 uses a multi-layered approach to detect attacks:

  1. Signature-based Detection: Matches traffic against known attack patterns.
  2. Volume-based Detection: Monitors traffic thresholds (PPS, MB/s).
  3. Automatic Pattern Discovery: Identifies new attack patterns by analyzing traffic behavior.
  4. Contributor Analysis: Identifies IPs contributing abnormally high traffic volumes.

Attack signatures are categorized into three types:

  • Spoofed IP Attacks: Reflection and amplification attacks with spoofed source IPs.
  • Valid IP Attacks: Direct attacks where the source IP is legitimate.
  • Other Attacks: Specialized attack types that require custom handling.

๐Ÿ“ฆ Output Structure

netdeflect.py
settings.ini
notification_template.json
methods.json
./application_data/
โ”œโ”€โ”€ captures/           โ† Raw .pcap traffic captures
โ”œโ”€โ”€ ips/                โ† IPs identified during attacks
โ”œโ”€โ”€ attack_analysis/    โ† Detailed reports of each attack
โ”œโ”€โ”€ new_detected_methods.json  โ† Auto-detected attack patterns

๐Ÿ“ข Notification Example

Sends alerts to Discord with enhanced information:

  • PPS & Mbps before mitigation
  • Blocked IP count
  • Attack vector and category
  • Mitigation status
  • Blocking strategy used

{DiscordExample}

๐Ÿ”— External API Integration

NetDeflect v2.0 can integrate with external security services:

  • Send blocked IPs to third-party firewalls or security services
  • Multiple sending modes: single, batch, or all IPs at once
  • Customizable request formatting
  • Support for various authentication methods

Example configuration:

ini
[external_firewall]
enable_api_integration=True
api_endpoint=https://api.example.com/firewall/block
auth_method=bearer
auth_token=your_api_token_here
sending_mode=batch
max_ips_per_batch=10

๐Ÿ” Auto-Pattern Detection

The new pattern detection system automatically:

  1. Analyzes traffic patterns during attacks
  2. Identifies common hex patterns across multiple sources
  3. Creates and saves new attack signatures
  4. Optionally blocks IPs using these new patterns

This enables NetDeflect to learn and adapt to new attacks without manual intervention.

NOTE

Make sure to remove the services you use from methods.json, such as removing specific TCP flags or removing HTTP/1 reflection if you run a webserver.

If you do encounter any issues, debug has been left on, open an issue with as much info as you can.

If you have any suggestions, please feel free to open an issue!

Blackhole removal

Remove all IP's from blackhole with the the script below:

bash
#!/bin/bash
# Remove all blackholed IP routes
echo "Removing all blackhole routes..."

ip route show | grep blackhole | awk '{print $2}' | while read ip; do
    echo "Removing blackhole for $ip"
    sudo ip route del blackhole "$ip"
done

echo "Done."

Tags for SEO

Security: DDoS protection, network security, intrusion detection, attack mitigation, ddos mitigation, traffic analysis

Technologies: Python, iptables, blackhole routing, tcpdump, tshark, ipset, ufw

Attack Types: reflection attacks, amplification attacks, SYN floods, UDP floods, TCP abuse

Features: real-time monitoring, auto-detection, pattern recognition, Discord webhooks, API integration

Contributors

Showing top 1 contributor by commit count.

0vm

0vm

36 commits

View all contributors on GitHub โ†’

This article is auto-generated from 0vm/NetDeflect via the GitHub API.Last fetched: 6/25/2026