kaffa/xdp-defense
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
069d09339ca5f8930885faf3407bcc25cc9fae37
xdp-defense/config/config.yaml
kaffa 1bcaddce25 Unify xdp-blocker and xdp-ddos into single xdp-defense project 
Chain two XDP programs via libxdp dispatcher on the same interface:
xdp_blocker (priority 10) handles CIDR/country/whitelist blocking,
xdp_ddos (priority 20) handles rate limiting, EWMA analysis, and AI
anomaly detection. Whitelist maps are shared via BPF map pinning so
whitelisted IPs bypass both blocklist checks and DDoS rate limiting.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 08:39:21 +09:00

71 lines
2.3 KiB
YAML
Raw Blame History

# XDP Defense - Unified Configuration
# Combines CIDR/country/whitelist blocking with DDoS rate limiting + AI detection
general:
interface: eth0
log_level: info # debug, info, warning, error
pid_file: /var/lib/xdp-defense/daemon.pid
data_dir: /var/lib/xdp-defense
bpf_dir: /opt/xdp-defense/bpf
pin_path: /sys/fs/bpf/xdp-defense
blocker:
enabled: true
config_dir: /etc/xdp-blocker # existing data path (blocklist, countries, whitelist)
rate_limits:
default_pps: 1000 # packets per second threshold
default_bps: 0 # bytes per second (0 = disabled)
window_sec: 1 # time window in seconds
# Time-based profiles (daemon switches automatically)
profiles:
business_hours:
hours: "09:00-18:00"
weekdays: "mon-fri"
pps: 2000 # higher during business hours
bps: 0
night:
hours: "00:00-06:00"
pps: 500 # stricter at night
bps: 0
escalation:
# Violations before escalation
rate_limit_after: 1 # violations before eBPF rate limiting kicks in
temp_block_after: 5 # violations before temporary block
perm_block_after: 999999 # effectively disabled
# Temporary block duration (seconds)
temp_block_duration: 300 # 5 minutes
# Violation memory window (seconds) - violations older than this are forgotten
violation_window: 600 # 10 minutes
# Cooldown: after unblocking, track more aggressively
cooldown_multiplier: 0.5 # multiply thresholds by this after recent block
ewma:
alpha: 0.3 # EWMA smoothing factor (0-1, higher = more reactive)
poll_interval: 1 # seconds between rate counter polls
threshold_multiplier: 3.0 # alert when EWMA > multiplier * baseline
ai:
enabled: true
model_type: IsolationForest
contamination: auto # let sklearn decide boundary
n_estimators: 100 # number of trees
# Learning phase
learning_duration: 86400 # 24 hours baseline collection
min_samples: 1000 # minimum samples before training
# Inference
poll_interval: 5 # seconds between feature reads
anomaly_threshold: -0.16 # sklearn decision_function threshold
# Retraining
retrain_interval: 604800 # 7 days in seconds
model_file: /var/lib/xdp-defense/ai_model.pkl
training_data_file: /var/lib/xdp-defense/training_data.csv
Reference in New Issue View Git Blame Copy Permalink