Version 2.0

ZeroFlood Documentation

Production-grade DDoS mitigation & IDS monitoring system.

⚡ Real-Time Capture

Uses raw libpcap to intercept traffic instantly before it hits the application layer, tracking PPS, bandwidth, and protocol distributions.

🛡️ IPv4 & IPv6 Mitigation

Dynamically blocks malicious actors across both IP stacks using iptables and ip6tables on the INPUT and FORWARD chains.

🚀 Setup & Clone

ZeroFlood requires root privileges (sudo) to attach to network interfaces and manipulate the system firewall safely.

1. Clone the Repository

git clone https://github.com/0xStr1k3r/ZeroFlood.git
cd ZeroFlood

2. Run the Setup Script

This will install `libpcap-dev` and securely build the Go binaries. It will also interactively prompt you to install an optional IDS (Suricata or Snort) for deep packet inspection.

chmod +x setup.sh
./setup.sh

3. Start ZeroFlood (Requires Sudo)

You MUST run the start script with sudo so that ZeroFlood can inject firewall rules and capture raw packets.

chmod +x start.sh
sudo ./start.sh

Once running, your Pro Dashboard will be available at http://localhost:3000.

📊 The Pro Dashboard

The Overview interface acts as a unified Security Operations Center (SOC).

System Threat Level

A dynamic gauge continuously analyzes your alert queue and packet metrics. It automatically shifts between SAFE, ELEVATED, and CRITICAL states depending on anomalous spikes.

Protocol Breakdown

Visualizes your network composition in real-time, tracking TCP, UDP, and ICMP ratios using dynamic progression bars to easily spot protocol floods.

🦅 Suricata / Snort IDS Integration

ZeroFlood natively bridges with Suricata or Snort to provide deep packet inspection capabilities alongside volumetric DDoS defense.

How It Works

When you click "Enable Snort" from the GUI, ZeroFlood physically spawns the Suricata daemon (suricata -D) on your live interface and tails the eve.json log securely.

Smart Deduplication

Alerts from the exact same IP and rule are aggregated to prevent UI spam, allowing you to focus on the actual threats.

🚫 Auto-Mitigation Engine

The Auto-Block feature is OFF by Default to prevent accidental lockouts.

Enabling Auto-Block

Toggle Auto-Block via the Alerts tab. When enabled, any IP flagged with a "High" or "Critical" severity (from either volumetric detectors or Suricata IDS) is instantly firewalled.

Block Persistence

Blocked traffic is completely dropped at the kernel level (INPUT/FORWARD chains), meaning even Docker containers and bridged VMs are protected. ZeroFlood will quietly drop further alerts from blocked IPs to keep your dashboard clean.

🔧 Troubleshooting

Exit Status 128 (Git Error)

If you see error obtaining VCS status: exit status 128, ensure you are using the latest setup.sh which automatically bypasses VCS stamping when building as root.

No Traffic Showing

Verify your interface. ZeroFlood auto-detects the interface bound to your default route (e.g. wlan0 or eth0). If it picks the wrong one, force it via:

sudo ./start.sh eth0