ZeroFlood Documentation
Production-grade DDoS mitigation & IDS monitoring system.
⚡ Real-Time Capture
Uses raw libpcap to intercept traffic instantly before it hits the application layer, tracking PPS, bandwidth, and protocol distributions.
🛡️ IPv4 & IPv6 Mitigation
Dynamically blocks malicious actors across both IP stacks using iptables and ip6tables on the INPUT and FORWARD chains.
🚀 Setup & Clone
ZeroFlood requires root privileges (sudo) to attach to network interfaces and manipulate the system firewall safely.
1. Clone the Repository
git clone https://github.com/0xStr1k3r/ZeroFlood.git
cd ZeroFlood
2. Run the Setup Script
This will install `libpcap-dev` and securely build the Go binaries. It will also interactively prompt you to install an optional IDS (Suricata or Snort) for deep packet inspection.
chmod +x setup.sh
./setup.sh
3. Start ZeroFlood (Requires Sudo)
You MUST run the start script with sudo so that ZeroFlood can inject firewall rules and capture raw packets.
chmod +x start.sh
sudo ./start.sh
Once running, your Pro Dashboard will be available at http://localhost:3000.
📊 The Pro Dashboard
The Overview interface acts as a unified Security Operations Center (SOC).
System Threat Level
A dynamic gauge continuously analyzes your alert queue and packet metrics. It automatically shifts between SAFE, ELEVATED, and CRITICAL states depending on anomalous spikes.
Protocol Breakdown
Visualizes your network composition in real-time, tracking TCP, UDP, and ICMP ratios using dynamic progression bars to easily spot protocol floods.
🦅 Suricata / Snort IDS Integration
ZeroFlood natively bridges with Suricata or Snort to provide deep packet inspection capabilities alongside volumetric DDoS defense.
How It Works
When you click "Enable Snort" from the GUI, ZeroFlood physically spawns the Suricata daemon (suricata -D) on your live interface and tails the eve.json log securely.
Smart Deduplication
Alerts from the exact same IP and rule are aggregated to prevent UI spam, allowing you to focus on the actual threats.
🚫 Auto-Mitigation Engine
The Auto-Block feature is OFF by Default to prevent accidental lockouts.
Enabling Auto-Block
Toggle Auto-Block via the Alerts tab. When enabled, any IP flagged with a "High" or "Critical" severity (from either volumetric detectors or Suricata IDS) is instantly firewalled.
Block Persistence
Blocked traffic is completely dropped at the kernel level (INPUT/FORWARD chains), meaning even Docker containers and bridged VMs are protected. ZeroFlood will quietly drop further alerts from blocked IPs to keep your dashboard clean.
🔧 Troubleshooting
Exit Status 128 (Git Error)
If you see error obtaining VCS status: exit status 128, ensure you are using the latest setup.sh which automatically bypasses VCS stamping when building as root.
No Traffic Showing
Verify your interface. ZeroFlood auto-detects the interface bound to your default route (e.g. wlan0 or eth0). If it picks the wrong one, force it via:
sudo ./start.sh eth0