kaffa/xdp-defense
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5adafcd09977e59e7b6547210ab0f5e4e60dbda5
xdp-defense/config/config.yaml
kaffa 0ef77e2f7c Lower AI anomaly_threshold from -0.16 to -0.25 to reduce false positives 
Normal traffic (~30 pps) was triggering AI ANOMALY warnings every 5s.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 16:45:05 +09:00

81 lines
2.7 KiB
YAML
Raw Blame History

# XDP Defense - Unified Configuration
# Combines CIDR/country/whitelist blocking with DDoS rate limiting + AI detection
general:
interface: eth0
log_level: info # debug, info, warning, error
pid_file: /var/lib/xdp-defense/daemon.pid
data_dir: /var/lib/xdp-defense
bpf_dir: /opt/xdp-defense/bpf
pin_path: /sys/fs/bpf/xdp-defense
blocker:
enabled: true
config_dir: /etc/xdp-defense # blocklist, countries, whitelist data
rate_limits:
default_pps: 2000 # packets per second threshold
default_bps: 0 # bytes per second (0 = disabled)
window_sec: 1 # time window in seconds
# Time-based profiles (daemon switches automatically)
profiles:
business_hours:
hours: "09:00-18:00"
weekdays: "mon-fri"
pps: 2000 # higher during business hours
bps: 0
weekend:
weekdays: "sat-sun"
pps: 2000 # weekend can be busy
bps: 0
night:
hours: "00:00-06:00"
pps: 2000 # night can be busy too
bps: 0
escalation:
# Violations before escalation
rate_limit_after: 3 # violations before eBPF rate limiting kicks in
temp_block_after: 5 # violations before temporary block
perm_block_after: 999999 # effectively disabled
# Temporary block duration (seconds)
temp_block_duration: 300 # 5 minutes
# Violation memory window (seconds) - violations older than this are forgotten
violation_window: 600 # 10 minutes
# Cooldown: after unblocking, track more aggressively
cooldown_multiplier: 0.5 # multiply thresholds by this after recent block
ewma:
alpha: 0.3 # EWMA smoothing factor (0-1, higher = more reactive)
poll_interval: 1 # seconds between rate counter polls
threshold_multiplier: 5.0 # alert when EWMA > multiplier * baseline
min_pps: 20 # ignore anomalies below this PPS (reduce false positives)
ai:
enabled: true
model_type: IsolationForest
contamination: auto # let sklearn decide boundary
n_estimators: 100 # number of trees
# Learning phase
learning_duration: 86400 # 24 hours baseline collection
min_samples: 1000 # minimum samples before training
# Inference
poll_interval: 5 # seconds between feature reads
anomaly_threshold: -0.25 # sklearn decision_function threshold
# Retraining
retrain_interval: 86400 # auto-retrain interval (seconds, default 24h)
retrain_window: 604800 # data range for retrain (7 days)
model_file: /var/lib/xdp-defense/ai_model.pkl
training_data_file: /var/lib/xdp-defense/training_data.csv
# Traffic logging
traffic_log_db: /var/lib/xdp-defense/traffic_log.db
traffic_log_retention_days: 7 # days to keep traffic log data
Reference in New Issue View Git Blame Copy Permalink