Infrastructure●●Solid
My VPS got DDoS'd into a kernel panic, so I learned XDP
Drops packets in 34-65ns at NIC level before fail2ban ever sees them.
WizardryNiche Gem
kennethhh
103mo ago
Back to browse
GitHub Repository
Lightweight eBPF/XDP stateful firewall that auto-syncs listening ports and preserves return traffic. Zero-config, maximum defense.
117 starsPython
XDP firewall that auto-syncs open ports – built after my VPS got DDoS'd
by kennethhh·Feb 27, 2026·1 point·0 comments
AI Analysis
●●●BangerWizardrySolve My ProblemDark Horse
XDP drops packets at NIC before kernel stack—beats fail2ban's kernel reaction cost entirely.
Strengths
- •Operates at wire speed (~40–65 ns/packet), fundamentally faster than iptables/fail2ban by processing at NIC driver level.
- •Automatic port sync via Netlink eliminates manual firewall rule maintenance—daemon watches ss output and updates BPF maps in real time.
- •Solves a concrete pain point: the author's real fail2ban catastrophe (20k+ IPs, OOM panic) demonstrates the problem wasn't theoretical.
Weaknesses
- •Upstream bandwidth saturation remains unsolvable—explicitly documented as no replacement for scrubbing services, limiting use to volumetric attacks below link capacity.
- •Linux-only (kernel ≥4.18, Debian/Ubuntu), and Netlink Process Connector dependency may be missing or require custom kernel builds on some VPS providers.
Category
Target Audience
VPS operators, DevOps engineers, systems administrators managing high-traffic or frequently-probed cloud instances
Similar To
fail2ban · nftables · Suricata IDS
Post Description
A few days ago, someone decided to DDoS the entire IP range of my Hong Kong VPS provider. fail2ban did its job a little too enthusiastically — banned 20,000+ IPs, ran the machine out of memory, and triggered a kernel panic. Great. :/
That's when I realized the problem: fail2ban lets packets hit the kernel stack first, then reacts. Under a real flood, that reaction cost alone is enough to kill the machine. I went down the XDP/eBPF rabbit hole — packets get dropped at the NIC driver level, before they even touch the kernel.
The other thing that annoyed me was manually managing port rules, so I built a daemon that watches for new listening ports via Netlink Process Connector and updates the BPF whitelist automatically.
What it does: ~34–65 ns/packet drop on KVM VPS, auto-syncs open ports, handles IPv6 extension headers, one-liner install.
What it won't do: won't save you if your uplink is already saturated — not a replacement for upstream scrubbing.
Would love feedback, especially if something breaks on your setup. First time posting here — hello everyone!
Similar Projects
Security●Mid
Detect7 – automatic DDoS protection layered on Cloudflare
Cloudflare already does DDoS protection; this adds AI scoring on top.
Solve My Problem
rk-baku
202mo ago
Infrastructure●●Solid
Flowtriq – Per-node DDoS detection with auto-mitigation in under 1s
Sub-second DDoS mitigation on your servers, but Cloudflare and AWS Shield dominate.
Bold BetSlick
jacob_masse
202mo ago
Developer Tools●Mid
GitMo – Google Drive-like auto sync for GitHub
Linux-only GitHub Desktop alternative, but auto-sync is already solved elsewhere.
Niche GemShip It
WWIII_Historian
1112d ago
Developer Tools●Mid
A CLI tool to simplify and automate common VPS configuration tasks
Bash script bundling standard server hardening, but Ansible, Terraform, and Linode/DigitalOcean do this.
Ship It
Wiar8
104mo ago
Developer Tools●●Solid
Port0 – dev servers by name, not port (Go)
Port auto-assignment with clean hostnames beats memorizing localhost:3000, but Overmind and Tilt already solve this.
Solve My ProblemCozy
hemanth05
103mo ago