Skip to content
/ GDEF-Counterflood-Software Public

Real-time defensive network tool with integrated packet scanner and GUI for detecting flood attacks, ARP spoofing, and DHCP floods, featuring multi-platform firewall support.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

arn-c0de/GDEF-Counterflood-Software

BranchesTags

Repository files navigation

GDEF - Counterflood Software

Screenshot

Python Version Platform License: MIT

Network security monitoring tool for Blue Team exercises. Detects and blocks real-time network attacks including DDoS floods, ARP spoofing, and DHCP flooding. Multi-platform support for Windows (Windows Firewall) and Linux (iptables).

Features

  • Real-time attack detection (DDoS, ARP spoofing, DHCP flooding)
  • Multi-platform firewall integration (Windows/Linux)
  • System resource monitoring (CPU, RAM)
  • Attack tool detection and process termination
  • IP geolocation and hostname resolution
  • SQLite database logging
  • Tkinter GUI for IP management
  • Automatic setup launchers

System Requirements

Component Windows Linux
Operating System Windows 10/11 or Server Ubuntu 20.04+, Debian 10+
Python 3.9 or higher 3.9 or higher
Privileges Administrator Root/sudo
Firewall Windows Firewall iptables
Disk Space ~50 MB ~50 MB

Installation

Clone and run the automated launcher:

Windows:

git clone https://github.com/arn-c0de/GDEF-Counterflood-Software.git
cd GDEF-Counterflood-Software
launcher.bat

Linux:

git clone https://github.com/arn-c0de/GDEF-Counterflood-Software.git
cd GDEF-Counterflood-Software
sudo ./launcher.sh

The launcher creates a virtual environment, installs dependencies, and initializes the database.

Architecture

┌─────────────────────────────────────────────────────┐
│     Network Traffic (Live Packet Capture)           │
└────────────────────┬────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────┐
│   Packet Analysis Engine (Scapy)                    │
│   • Flood Detection (>100 pkt/s threshold)          │
│   • ARP Spoofing Detection                          │
│   • DHCP Flood Detection                            │
└────────────────────┬────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────┐
│   SQLite Database (defense_db.sqlite)               │
└────────────┬───────────────────────┬────────────────┘
             │                       │
             ▼                       ▼
┌────────────────────────┐  ┌──────────────────────┐
│   Firewall Manager     │  │   GUI (block_gui.py) │
│   • Windows: netsh     │  │   • IP Management    │
│   • Linux: iptables    │  │   • Geolocation      │
└────────────────────────┘  └──────────────────────┘

Multi-threaded design with four concurrent components:

  1. Packet Sniffing Thread - Network traffic capture and analysis
  2. Resource Monitoring Thread - CPU/RAM tracking
  3. Process Detection Thread - Malicious process identification
  4. Status Display Thread - Console output updates

Project Structure

File Purpose
gdef-counterflood-software_BLUE.py Main monitoring application
firewall.py Multi-platform firewall abstraction
database.py SQLite operations and IP resolution
block_gui.py Tkinter GUI for IP management
setup.py Database initialization
launcher.bat / launcher.sh Automated setup

Configuration

Parameter Default Description
Flood Threshold 100 pkt/s DDoS detection trigger
Block Duration 300 sec Temporary block time
DHCP Threshold 10 requests Per MAC address
Resource Alert 90% CPU/RAM warning level

Usage

After installation, select from the launcher menu:

  1. Start monitoring tool only
  2. Start GUI only
  3. Start both (recommended)

The GUI displays live suspicious IPs with options to block, ignore, or resolve geolocation data.

Attack Detection

  • Flood Detection: Tracks packet count per source IP over 1-second windows
  • ARP Spoofing: Monitors for duplicate MAC addresses on different IPs
  • DHCP Flooding: Counts DHCP requests per MAC address
  • Process Monitoring: Detects known attack tool executables

Automatic defensive actions:

  • Creates firewall rules via netsh (Windows) or iptables (Linux)
  • Terminates identified attack tool processes
  • Logs all events to SQLite database
  • All rules automatically removed on program exit

Legal Notice

For authorized use only:

  • Blue Team training exercises
  • Cybersecurity education and CTF competitions
  • Authorized penetration testing (with written permission)
  • Controlled security research environments

Prohibited:

  • Production networks without explicit authorization
  • Unauthorized network monitoring
  • Privacy violations

THE AUTHOR ASSUMES NO LIABILITY FOR MISUSE, DAMAGES, OR LEGAL CONSEQUENCES.

Dependencies

  • scapy (2.5.0+) - Packet manipulation
  • psutil (5.9.0+) - System monitoring
  • requests (2.31.0+) - HTTP/geolocation
  • colorama (0.4.6+) - Terminal colors
  • WMI (Windows only)

All dependencies are installed automatically via launchers or pip install -r requirements.txt.

Platform Support

Feature Windows Linux
Packet Capture Npcap/WinPcap libpcap
Firewall Windows Firewall (netsh) iptables
Process Monitoring Yes Yes
IP Geolocation Yes Yes
GUI Support Tkinter Tkinter
Admin Requirements Administrator Root/sudo

License

MIT License — see LICENSE file for details.

Support

About

Real-time defensive network tool with integrated packet scanner and GUI for detecting flood attacks, ARP spoofing, and DHCP floods, featuring multi-platform firewall support.

Topics

python windows linux sqlite firewall network-monitoring arp-spoofing packet-sniffer network-security flood-detection dhcp-flood

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages