Basic XDP leverages eBPF technology to provide a lightweight and high-performance anti-DDoS solution for personal cloud instances. With automatic port whitelisting, this tool alleviates the burden of manual firewall management while ensuring fast packet processing at the NIC driver level. Ideal for users seeking efficiency and enhanced security.
Basic XDP
A lightweight and high-performance script for implementing eBPF/XDP-based DDoS protection in Linux environments, specifically designed for personal cloud instances. This project emphasizes automatic port whitelisting, significantly simplifying network management and enhancing security.
Key Features
- Automatic Port Whitelisting: Basic XDP utilizes a daemon to monitor open ports on the system, ensuring that the BPF maps remain in sync without manual intervention.
- Wire-Speed Filtering: Integrates directly with the NIC driver, allowing packet processing before it reaches the Linux networking stack. This results in dramatically reduced latency compared to traditional firewall methods like
iptablesornftables. - Real-Time Updates: The accompanying daemon watches for active processes and synchronizes the firewall rules on-the-fly, making this tool both efficient and user-friendly.
- Comprehensive Protocol Support: Provides filtering for both TCP and UDP protocols, as well as ICMP and ARP passthrough ensuring standard tools like
pingand DHCP remain functional.
How It Works
Basic XDP hooks into the NIC driver level, processing incoming packets through a streamlined workflow:
- Incoming Packet Handling: Instead of passing packets through the kernel stack, Basic XDP filters them at the NIC level.
- Port Whitelist Management: Active ports are automatically tracked and updated, enhancing security and reducing maintenance overhead.
- Efficient Resource Use: By dropping irrelevant packets at the NIC level, the CPU load is significantly diminished, maintaining system responsiveness even under attack.
Technical Highlights
- Developed in C as an eBPF/XDP kernel program for optimal performance, with minimal latency measured in the range of 40 to 65 nanoseconds per packet.
- Supports IPv6 and includes features to counter potential header-based attack vectors.
- Utilizes Pinned BPF maps to ensure port information remains intact across service reloads and can be updated dynamically as needed.
Installation and Setup
The installation process is straightforward, accommodating both users who want a quick setup and those who prefer to build from source. Users can execute:
curl -fsSL https://raw.githubusercontent.com/Kookiejarz/basic_xdp/refs/heads/main/setup_xdp.sh | sudo bash
for a simple one-click installation experience.
For a detailed exploration of installation steps, usage, and performance benchmarks, refer to the provided documentation in the repository.
Benchmark Performance
In stress tests simulating volumetric DDoS attacks, Basic XDP exhibited impressive resilience with a substantial reduction in CPU workload during packet floods, ensuring continued system operation while effectively managing high packet rates.
Contribution Guidelines
Contributions to the project are welcome. Users can fork the repository, make enhancements, and submit pull requests to share improvements or report issues directly via the repository's issue tracker.
Overall, Basic XDP stands out as an essential tool for enhancing network security in personal cloud environments, providing robust DDoS mitigation and simplifying firewall management through innovative automation.
No comments yet.
Sign in to be the first to comment.