Unify xdp-blocker and xdp-ddos into single xdp-defense project

Chain two XDP programs via libxdp dispatcher on the same interface: xdp_blocker (priority 10) handles CIDR/country/whitelist blocking, xdp_ddos (priority 20) handles rate limiting, EWMA analysis, and AI anomaly detection. Whitelist maps are shared via BPF map pinning so whitelisted IPs bypass both blocklist checks and DDoS rate limiting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 08:39:21 +09:00
commit 1bcaddce25
12 changed files with 3523 additions and 0 deletions
--- a/config/config.yaml
+++ b/config/config.yaml
@@ -0,0 +1,70 @@
+# XDP Defense - Unified Configuration
+# Combines CIDR/country/whitelist blocking with DDoS rate limiting + AI detection
+
+general:
+  interface: eth0
+  log_level: info          # debug, info, warning, error
+  pid_file: /var/lib/xdp-defense/daemon.pid
+  data_dir: /var/lib/xdp-defense
+  bpf_dir: /opt/xdp-defense/bpf
+  pin_path: /sys/fs/bpf/xdp-defense
+
+blocker:
+  enabled: true
+  config_dir: /etc/xdp-blocker  # existing data path (blocklist, countries, whitelist)
+
+rate_limits:
+  default_pps: 1000        # packets per second threshold
+  default_bps: 0           # bytes per second (0 = disabled)
+  window_sec: 1            # time window in seconds
+
+  # Time-based profiles (daemon switches automatically)
+  profiles:
+    business_hours:
+      hours: "09:00-18:00"
+      weekdays: "mon-fri"
+      pps: 2000             # higher during business hours
+      bps: 0
+    night:
+      hours: "00:00-06:00"
+      pps: 500              # stricter at night
+      bps: 0
+
+escalation:
+  # Violations before escalation
+  rate_limit_after: 1       # violations before eBPF rate limiting kicks in
+  temp_block_after: 5       # violations before temporary block
+  perm_block_after: 999999  # effectively disabled
+
+  # Temporary block duration (seconds)
+  temp_block_duration: 300  # 5 minutes
+
+  # Violation memory window (seconds) - violations older than this are forgotten
+  violation_window: 600     # 10 minutes
+
+  # Cooldown: after unblocking, track more aggressively
+  cooldown_multiplier: 0.5  # multiply thresholds by this after recent block
+
+ewma:
+  alpha: 0.3               # EWMA smoothing factor (0-1, higher = more reactive)
+  poll_interval: 1          # seconds between rate counter polls
+  threshold_multiplier: 3.0 # alert when EWMA > multiplier * baseline
+
+ai:
+  enabled: true
+  model_type: IsolationForest
+  contamination: auto        # let sklearn decide boundary
+  n_estimators: 100         # number of trees
+
+  # Learning phase
+  learning_duration: 86400  # 24 hours baseline collection
+  min_samples: 1000         # minimum samples before training
+
+  # Inference
+  poll_interval: 5          # seconds between feature reads
+  anomaly_threshold: -0.16  # sklearn decision_function threshold
+
+  # Retraining
+  retrain_interval: 604800  # 7 days in seconds
+  model_file: /var/lib/xdp-defense/ai_model.pkl
+  training_data_file: /var/lib/xdp-defense/training_data.csv
--- a/config/xdp-defense.service
+++ b/config/xdp-defense.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=XDP Defense - Unified CIDR Blocker + DDoS Defense
+After=network-online.target
+Wants=network-online.target
+Documentation=man:xdp-defense(8)
+
+[Service]
+Type=simple
+ExecStartPre=/usr/local/bin/xdp-defense load
+ExecStart=/usr/local/bin/xdp-defense daemon start-foreground
+ExecStop=/usr/local/bin/xdp-defense stop-all
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+RestartSec=5
+
+# Security hardening
+ProtectSystem=strict
+ReadWritePaths=/var/lib/xdp-defense /etc/xdp-defense /etc/xdp-blocker /sys/fs/bpf
+ProtectHome=true
+NoNewPrivileges=false
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_BPF CAP_SYS_ADMIN CAP_PERFMON
+AmbientCapabilities=CAP_NET_ADMIN CAP_BPF CAP_SYS_ADMIN CAP_PERFMON
+
+[Install]
+WantedBy=multi-user.target