Basic XDP leverages high-performance eBPF technology to provide essential DDoS protection and automatic port whitelisting for Linux personal cloud instances. Unlike traditional firewalls, Basic XDP operates at the NIC driver level, ensuring faster packet processing and reduced maintenance, freeing users from manual firewall rule updates.
Basic XDP: A High-Performance Anti-DDoS Solution
Basic XDP is a lightweight and efficient eBPF-based rule designed specifically for Linux environments, providing automatic port whitelisting and essential DDoS protection for personal cloud instances. Unlike traditional firewalls that operate after packets have entered the Linux networking stack, Basic XDP filters traffic directly at the NIC driver level, ensuring speed and efficiency in handling incoming connections.
Unique Features
- Automatic Port Whitelisting: A real-time daemon monitors open ports and updates BPF maps without manual intervention.
- Wire-Speed Filtering: Reduces latency dramatically, achieving ~40–65 nanoseconds per packet compared to traditional methods.
- Comprehensive Protocol Support: Fully compatible with IPv6, including advanced filtering capabilities to prevent bypassing via extension headers.
- Seamless Integration: Includes a script for one-click setup, making installation and deployment straightforward, even for users with limited experience.
Technical Overview
What is XDP?
XDP, or eXpress Data Path, leverages eBPF technology for super-speed packet processing, operating before the kernel networking stack to filter packets effectively and efficiently. Basic XDP harnesses this capability to provide direct control over packet flows, ideal for personal servers frequently subject to probing and scanning.
How It Operates
The packet handling follows a clear flow:
Incoming Packet
│
▼
┌─────────────┐
│ NIC Driver │ ← XDP hooks here (before kernel stack)
└──────┬──────┘
│
▼
┌──────────────────────────────┐
│ xdp_port_whitelist │
│ │
│ ETH → IPv4/IPv6 → TCP/UDP │
│ │
│ TCP SYN? → check map │
│ TCP ACK? → PASS (reply) │
│ UDP? → check map │
│ ICMP/ARP? → PASS │
│ │
│ Not in whitelist → DROP │
└──────────────────────────────┘
│
▼
XDP_PASS / XDP_DROP
This streamlined process ensures that only valid traffic reaches the system, thwarting unwanted connections effectively.
Components
xdp_firewall.c- The core eBPF/XDP program, optimized for high-speed filtering.setup_xdp.sh- An automated script for deployment, configuration, and setup of the synchronization daemon.
Benchmarking Performance
In real-world performance tests simulating UDP flood attacks, Basic XDP has demonstrated:
- Significant Reduction in CPU Usage: Softirq CPU usage dropped from 85.9% (XDP OFF) to 3.0% (XDP ON) during high packet volumes, maintaining system responsiveness.
- Stable Packet Handling: Essential packets processed efficiently without overwhelming the kernel networking stack.
Contributing
Basic XDP is open for contributions. Suggestions and improvements are encouraged, and users can provide feedback by forking the repository and submitting pull requests.
Conclusion
Basic XDP represents a significant advance in network security for personal cloud instances, combining performance and automation in a user-friendly package. Explore its capabilities to enhance the security of Linux-hosted applications and services.
No comments yet.
Sign in to be the first to comment.