kaffa/xdp-defense
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reduce EWMA false positives with min_pps threshold

Browse Source 
- Add min_pps (default 20) to skip anomaly detection for low-traffic IPs
- Increase threshold_multiplier from 3.0 to 5.0
- Increase rate_limit_after from 1 to 3 violations
- Support min_pps in SIGHUP config reload

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
kaffa
2026-02-07 14:32:41 +09:00
parent e994a0a63a
commit 1c2c94d36a
2 changed files with 15 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
config/config.yaml
View File

@@ -32,7 +32,7 @@ rate_limits:
escalation:
# Violations before escalation
rate_limit_after: 1 # violations before eBPF rate limiting kicks in
rate_limit_after: 3 # violations before eBPF rate limiting kicks in
temp_block_after: 5 # violations before temporary block
perm_block_after: 999999 # effectively disabled
@@ -48,7 +48,8 @@ escalation:
ewma:
alpha: 0.3 # EWMA smoothing factor (0-1, higher = more reactive)
poll_interval: 1 # seconds between rate counter polls
threshold_multiplier: 3.0 # alert when EWMA > multiplier * baseline
threshold_multiplier: 5.0 # alert when EWMA > multiplier * baseline
min_pps: 20 # ignore anomalies below this PPS (reduce false positives)
ai:
enabled: true