Sentinel

Sentinel: Real-Time DDoS Visualization

Inspiration

DDoS attacks are one of the most disruptive threats on the internet, with incidents growing rapidly every year. Yet, the tooling for tracking them is usually reactive (after-the-fact alerts), narrowly scoped, or completely opaque (just numbers ticking up on a dashboard).

We wanted to know what the global attack surface actually looks like right now. We didn't want a boring spreadsheet; we wanted a living map showing where attacks originate, what they are targeting, and the patterns that emerge when you watch it live. That curiosity became Sentinel.

What it does

Sentinel is a real-time global DDoS and network threat visualization platform. It operates in two main modes:

Live Mode: Ingests live threat data, enriches it, and streams it over WebSockets to a 3D WebGL globe. You watch animated arcs fly from attacker IPs to the nearest Cloudflare Point of Presence, color-coded by attack type (DDoS, botnet, intrusion, etc.).
Historical Mode: Pulls 24-hour or 7-day windows and runs a multi-pass analytical report. It features spike detection via z-score algorithms, cross-source correlation, and IP persistence scoring to track repeating offenders.

How we built it

The Backend (FastAPI & Python): A single background task runs the pipeline every 90 seconds. It concurrently fetches data from AbuseIPDB, SANS ISC honeypots, and Cloudflare Radar using asyncio.gather.

Enrichment: IPs are geolocated using MaxMind GeoLite2 and assigned to the nearest Cloudflare PoP using Haversine distance.
Scoring: To filter noise, we wrote a custom 6-signal composite scoring engine:

$$score = \min\left(1.0,\ \left(\frac{confidence}{100} + boost_{reports} + boost_{spike}\right) \times mult_{recency} \times mult_{ddos} \times mult_{botnet}\right)$$

Events scoring > 0.70 are broadcast to all connected WebSocket clients and saved to a SQLite time-series database.

The Frontend (Next.js & WebGL): The UI manages state purely through custom React hooks. For the globe, we used cobe for the WebGL sphere, but layered a custom 2D Canvas directly on top to render the attack arcs. The arcs are computed as great-circle paths using spherical linear interpolation (slerp) and projected perfectly onto the rotating globe at 60fps.

Challenges we ran into

Aggregating Disparate Data Sources: Pulling threat intelligence from multiple independent sources was a major hurdle. AbuseIPDB, SANS ISC, and Cloudflare Radar all have completely different data schemas, rate limits, and failure modes. For instance, AbuseIPDB strips category metadata from its free tier, making all attacks look identical. We had to build a custom async ingestion pipeline that normalizes the data, uses SANS ISC honeypot data to fill in the missing AbuseIPDB categories, and runs it all through our scoring engine to create a unified data stream.
Building a Cohesive User Interface: Translating a massive, continuous stream of raw network data into an intuitive and performant UI was incredibly difficult. We had to seamlessly blend a 3D WebGL globe, a custom 2D canvas overlay for the animated arcs, a live scrolling data feed, and real-time statistics panels. Ensuring that a constant barrage of WebSocket updates didn't trigger expensive full-page re-renders required strict state management and aggressive use of React.memo. We had to balance showing a high volume of threat intelligence without overwhelming the user or tanking the browser's framerate.

What we learned

We learned how to architect a fault-tolerant, multi-source async ingestion pipeline where each API has completely different rate limits and failure modes.
We learned how to sync a 2D Canvas overlay perfectly with a rotating WebGL globe, translating 3D coordinates to 2D space.
We proved to ourselves that SQLite is genuinely fast enough to act as a zero-infrastructure time-series database at hackathon scale (~96K rows/day).