A comprehensive, enterprise-grade DDoS protection platform designed for Internet Service Providers (ISPs)
Real-time traffic monitoring β’ Anomaly detection β’ Automated mitigation β’ Beautiful web dashboard
Features β’ Quick Start β’ Documentation β’ Screenshots
- AI Agents β Read This First
- Features
- Screenshots
- Requirements
- Quick Start
- Router Integration
- API Documentation
- Architecture
- Technology Stack
- Security
- Monitoring
- Testing
- Documentation
- Comparison with FastNetMon
- Contributing
- License
- Support
- NetFlow/sFlow/IPFIX Support: Collect traffic data from MikroTik, Cisco, and Juniper routers
- PCAP Capture: Record packets with standard PCAP format for analysis
- AF_PACKET/AF_XDP: High-performance packet capture for Linux systems
- VLAN Untagging: Automatic removal of 802.1Q and 802.1ad VLAN tags
- Real-time Anomaly Detection: Detect SYN floods, UDP floods, and other attack patterns
- Attack Fingerprinting: Automatically capture attack traffic in PCAP format
- Entropy Analysis: Identify distributed attacks using statistical analysis
- Redis Integration: Fast real-time counters and event streaming
- Hostgroups: Configure per-subnet thresholds for packets/bytes/flows per second
- Longest Prefix Match: Hierarchical subnet configuration with most specific match
- Default Thresholds: System-wide defaults for networks without specific configuration
- Script Execution: Trigger custom block/notify scripts when thresholds exceeded
- Dynamic Configuration: Update thresholds without service restart
- Automated Firewall Rules: Support for iptables/nftables
- MikroTik API Integration: Direct router control for rule deployment
- BGP Blackholing (RTBH): Announce blackhole routes for attack traffic (supports ExaBGP, FRR, BIRD)
- FlowSpec Support: Send FlowSpec announcements to BGP routers
- Custom Rule Engine: Define rate limits, IP blocks, protocol filters, and geo-blocking
- React 18 UI: Modern, responsive enterprise-grade web interface
- Dark Navbar: Sticky dark navy navigation with active-link highlighting and emoji icons
- KPI Stat Cards: Colour-coded metric cards with trend indicators and contextual icons
- Real-time Charts: Live traffic visualization and attack patterns
- Rule Management: Easy-to-use interface for adding/removing rules
- Alert Dashboard: Severity-coded (critical/high/medium/low) alert feed with one-click mitigate/resolve
- System Status Panel: Per-service health indicators on the dashboard
- Settings Panel: Configure thresholds, notifications, and API keys
- Multi-tenant Architecture: Isolated dashboards and rule sets per ISP
- Role-based Access Control: Admin, operator, and viewer roles
- Subscription Management: Support for paid service tiers
- Payment Integration: Stripe, PayPal, and other payment gateways
- Monthly Reports: Generate PDF/CSV reports for customers
- Prometheus Integration: Comprehensive metrics collection
- Grafana Dashboards: Advanced visualization
- Multi-channel Alerts: Email, SMS, and Telegram notifications
- Live Attack Maps: Visualize attacks in real-time
- Mitigation Status: Track active and historical mitigations
The screenshots below show the redesigned enterprise-grade UI (dark navbar, colour-coded severity badges, KPI stat cards, and real-time status indicators).
Dark glassmorphism login screen with gradient branding and enterprise security messaging
Real-time KPI cards with colour-coded status indicators, alert severity breakdown, quick-action shortcuts, and live system health panel
Colour-coded severity badges (critical/high/medium/low), per-alert mitigation and resolve actions, live feed of active threats
Protocol distribution bar-chart, live traffic log with anomaly flags, and per-flow bytes/packet counters
- Docker and Docker Compose
- PostgreSQL 15+
- Redis 7+
- Python 3.11+
- Node.js 18+
git clone https://github.com/i4edubd/ddos-potection.git
cd ddos-potectionCreate a .env file in the backend directory:
# Database
DATABASE_URL=postgresql://ddos_user:ddos_pass@postgres:5432/ddos_platform
# Redis
REDIS_HOST=redis
REDIS_PORT=6379
# Security
SECRET_KEY=your-secret-key-change-in-production
ACCESS_TOKEN_EXPIRE_MINUTES=30
# Detection Thresholds
SYN_FLOOD_THRESHOLD=10000
UDP_FLOOD_THRESHOLD=50000
ENTROPY_THRESHOLD=3.5
# Alerts
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your-email@gmail.com
SMTP_PASSWORD=your-password
TELEGRAM_BOT_TOKEN=your-bot-tokendocker-compose up -dThis will start:
- PostgreSQL database (port 5432)
- Redis (port 6379)
- Backend API (port 8000)
- Traffic Collector (ports 2055/UDP, 6343/UDP, 4739/UDP)
- Anomaly Detector
- Frontend Dashboard (port 3000)
- Prometheus (port 9090)
- Grafana (port 3001)
- Dashboard: http://localhost:3000
- API Documentation: http://localhost:8000/docs
- Grafana: http://localhost:3001 (admin/admin)
- Prometheus: http://localhost:9090
Use the API to register:
curl -X POST http://localhost:8000/api/v1/auth/register \
-H "Content-Type: application/json" \
-d '{
"username": "admin",
"email": "admin@yourisp.com",
"password": "YourSecurePassword123!",
"isp_name": "Your ISP Name",
"role": "admin"
}'Then login at http://localhost:3000 with your credentials.
# Using the provided script
python scripts/mikrotik_integration.py 192.168.1.1 admin password <collector-ip> 2055Or configure manually:
/ip traffic-flow
set enabled=yes interfaces=all
/ip traffic-flow target
add address=<collector-ip>:2055 version=9
# Generate configuration
bash scripts/cisco_netflow.sh 192.168.1.1 <collector-ip> 2055# Generate configuration
bash scripts/juniper_sflow.sh 192.168.1.1 <collector-ip> 6343The platform provides a RESTful API for programmatic access:
# Login
curl -X POST http://localhost:8000/api/v1/auth/token \
-d "username=admin&password=password"
# Get current user
curl -X GET http://localhost:8000/api/v1/auth/me \
-H "Authorization: Bearer <token>"# Get real-time traffic stats
curl -X GET http://localhost:8000/api/v1/traffic/realtime \
-H "Authorization: Bearer <token>"
# Get protocol distribution
curl -X GET http://localhost:8000/api/v1/traffic/protocols \
-H "Authorization: Bearer <token>"# Create a rule
curl -X POST http://localhost:8000/api/v1/rules/ \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "Block malicious IP",
"rule_type": "ip_block",
"condition": {"ip": "1.2.3.4"},
"action": "block",
"priority": 100
}'
# List rules
curl -X GET http://localhost:8000/api/v1/rules/ \
-H "Authorization: Bearer <token>"# List active alerts
curl -X GET http://localhost:8000/api/v1/alerts/?status=active \
-H "Authorization: Bearer <token>"
# Resolve an alert
curl -X POST http://localhost:8000/api/v1/alerts/1/resolve \
-H "Authorization: Bearer <token>"# Start PCAP capture
curl -X POST http://localhost:8000/api/v1/capture/start \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"interface": "eth0",
"capture_mode": "af_packet",
"duration": 60,
"filter_bpf": "tcp and port 80"
}'
# List captures
curl -X GET http://localhost:8000/api/v1/capture/list \
-H "Authorization: Bearer <token>"
# Download PCAP file
curl -X GET http://localhost:8000/api/v1/capture/download/capture_20260201_123456.pcap \
-H "Authorization: Bearer <token>" \
-o capture.pcap# Create hostgroup
curl -X POST http://localhost:8000/api/v1/hostgroups/ \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "customer_network_1",
"subnet": "192.168.1.0/24",
"thresholds": {
"packets_per_second": 10000,
"bytes_per_second": 100000000,
"flows_per_second": 1000
},
"scripts": {
"block": "/etc/ddos-protection/scripts/block.sh",
"notify": "/etc/ddos-protection/scripts/notify.sh"
}
}'
# List hostgroups
curl -X GET http://localhost:8000/api/v1/hostgroups/ \
-H "Authorization: Bearer <token>"
# Check IP thresholds
curl -X POST http://localhost:8000/api/v1/hostgroups/check-ip \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"ip": "192.168.1.50"}'βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frontend (React) β
β http://localhost:3000 β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββ
β Backend API (FastAPI) β
β http://localhost:8000 β
ββββββββββββ¬βββββββββββββββ¬βββββββββββββββ¬βββββββββββββββββββββ
β β β
ββββββββΌββββββ ββββββΌββββββ ββββββΌβββββββ
β PostgreSQL β β Redis β β Services β
β Database β β Cache β β (Workers) β
ββββββββββββββ ββββββββββββ βββββββββββββ
β
βββββββββββββββΌββββββββββββββ
β β β
ββββββββΌβββββββ βββββΌβββββ βββββββΌβββββββ
β Traffic β βAnomaly β β Mitigation β
β Collector β βDetectorβ β Service β
ββββββββ¬βββββββ ββββββββββ βββββββ¬βββββββ
β β
βββββββββββββββΌβββββββββββββββ β
β β β β
βββββββΌββββββ ββββββΌββββββ βββββββΌβββββ βββββΌβββββ
β MikroTik β β Cisco β β Juniper β β BGP β
β Router β β Router β β Router β β Peers β
βββββββββββββ ββββββββββββ ββββββββββββ ββββββββββ
- FastAPI - High-performance Python web framework
- PostgreSQL 15 - Primary data storage
- Redis 7 - Real-time caching and pub/sub
- SQLAlchemy - ORM for database operations
- Pydantic - Data validation and settings
- Celery - Distributed task queue (optional)
- React 18 - Modern UI framework
- Chart.js - Beautiful data visualization
- Axios - HTTP client
- React Router - Navigation
- CSS3 - Responsive styling
- Docker & Docker Compose - Containerization
- Prometheus - Metrics collection
- Grafana - Monitoring dashboards
- Kubernetes - Production orchestration (optional)
- GitHub Actions - CI/CD pipeline
- NetFlow v9/v10 - Cisco traffic export
- sFlow - Real-time traffic sampling
- IPFIX - IP Flow Information Export
- BGP/ExaBGP - Route advertisements for mitigation
- TLS/SSL: All communications encrypted
- JWT Authentication: Secure token-based auth
- Role-based Access: Fine-grained permissions
- API Key Management: Secure router integration
- Password Hashing: bcrypt for password storage
- Input Validation: Pydantic models for data validation
The platform includes comprehensive monitoring and alerting capabilities:
- Traffic metrics: packets/sec, bytes/sec, flow counts by protocol
- Alert metrics: active alerts, severity distribution, resolution rates
- Mitigation metrics: active mitigations, success rates, duration histograms
- Attack detection: attack types, volumes, targets
- System health: database, Redis, API status
- DDoS Overview: Real-time operational dashboard with traffic stats and alerts
- Attack Analysis: Detailed attack visualization with geographic data
- Mitigation Status: Track active and historical mitigations with success metrics
- System Health: Monitor database connections, API performance, and resource usage
- Email notifications: HTML-formatted alerts with severity color coding
- SMS alerts: Twilio-based SMS for critical incidents (concise format)
- Telegram notifications: Rich formatted messages with emoji indicators
- Configurable per ISP with channel preferences
- Real-time visualization: WebSocket-based attack streaming
- Geographic mapping: Source and target IP geolocation
- Attack heatmaps: Aggregate attack data by region and time
- Statistics dashboard: Attack counts, types, and targets
# Prometheus metrics
GET /metrics
# Live attack data
GET /api/v1/attack-map/live-attacks
GET /api/v1/attack-map/attack-heatmap
GET /api/v1/attack-map/attack-statistics
WS /api/v1/attack-map/ws/live-attacks
# Mitigation status
GET /api/v1/mitigation/status/active
GET /api/v1/mitigation/status/history
GET /api/v1/mitigation/status/analyticsFor detailed monitoring setup and configuration, see Monitoring Guide.
# Backend tests
cd backend
pytest
# Frontend tests
cd frontend
npm testWondering how we compare to commercial solutions like FastNetMon Advanced? We've got you covered!
Our platform offers a modern, open-source alternative to commercial DDoS protection solutions. Here's a quick comparison:
| Feature | Our Platform | FastNetMon Advanced |
|---|---|---|
| License | β Open Source (MIT) | β Commercial |
| Cost | β Free | β Paid License |
| Multi-tenancy | β Full ISP support | β Limited |
| Modern UI | β React Dashboard | β Web UI |
| Customization | β Unlimited | β Limited |
| Scale | Up to 100Gbps+ | Up to 5Tbps |
Key Advantages:
- π Zero licensing costs - No expensive commercial licenses
- π Full source code access - Customize anything you need
- π’ Built-in multi-tenancy - Perfect for ISP service offerings
- π Modern tech stack - React, FastAPI, PostgreSQL, Redis
- π³ Docker-first - Deploy in minutes with Docker Compose
- π³ Payment integration - Stripe/PayPal for subscription billing
When to choose us:
- You want an open-source solution with no licensing fees
- You need full customization capabilities
- You're building a multi-tenant ISP DDoS protection service
- Your network is under 100Gbps
- You prefer modern web technologies and DevOps practices
For a detailed feature-by-feature comparison, migration guide, and use case recommendations, see our FastNetMon Comparison Guide.
If you are an AI coding agent (GitHub Copilot, Claude, GPT-4o, Cursor, Aider, or any other AI tool): you must read
project-docs/AI_INSTRUCTIONS.mdbefore making any changes to this repository. It contains mandatory rules, style guides, architecture constraints, and the correct technical reference for every area of the codebase.Instruction files are also present at:
AGENTS.mdβ OpenAI Codex / general agentsCLAUDE.mdβ Claude (Anthropic).github/copilot-instructions.mdβ GitHub Copilot
All documentation lives in the project-docs/ folder.
See project-docs/INDEX.md for the full table of contents.
- Project Overview β architecture, tech stack, service ports
- Status Report β current implementation status & known issues
- Roadmap β planned features by phase (Q2 2026 β Q2 2027)
- TODO β open tasks with file references and priorities
- Changelog β version history
- Quick Start Guide β running in under 10 minutes
- Deployment Guide β production deployment
- Development Guide β local dev setup & standards
- Contributing Guidelines
- Traffic Collection Guide β NetFlow/sFlow/IPFIX
- Packet Capture & Thresholds Guide β PCAP, AF_PACKET, AF_XDP, VLAN, hostgroups
- BGP Blackholing (RTBH) Guide β BGP-based mitigation
- FlowSpec Guide β FlowSpec announcements
- Custom Rules Guide β rule engine
- Monitoring & Alerting Guide β Prometheus, Grafana, notifications
- Multi-ISP Setup Guide β multi-tenant configuration
- Security Documentation
- Security Summary β CodeQL analysis results
- FastNetMon Comparison β vs FastNetMon Advanced Edition
Contributions are welcome! Please read our Contributing Guidelines before submitting PRs.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
Need help? We're here for you!
- π Documentation
- π GitHub Issues
- π¬ Discussions
- π§ Email: support@ispbills.com
Special thanks to these amazing open-source projects:
- FastAPI - Excellent Python web framework
- React - Modern UI framework
- PostgreSQL - Robust database
- Redis - Fast in-memory data store
- Prometheus & Grafana - Monitoring stack
β Star this project if you find it useful! β
Made with β€οΈ for ISPs worldwide
