GitHub - kilkamesh/xSpa: High-performance, minimalist Single Packet Authorization (SPA) based on eBPF/XDP. Keeps your ports invisible to scanners and resilient to DDoS attacks by filtering traffic at the driver level.
github.com
High-performance, minimalist Single Packet Authorization (SPA) based on eBPF/XDP. Keeps your ports invisible to scanners and resilient to DDoS attacks by filtering traffic at the driver level. - ki...

Hi guys, I wanted to share a project I’ve been working on called xSpa. It’s an implementation of Single Packet Authorization that works at the XDP level.

I built this because I wanted something faster and more DDoS-resilient than traditional port-knocking or SPA tools that rely on userspace processing or iptables. Here, the “drop-all” logic happens right at the driver level.

Key bits:

 L1 verification (SipHash) in kernel space.

 L2 (ChaCha20-Poly1305) in Go userspace.

 It uses the eBPF ring buffer for communication.

This is my first Go project and my first shot at Open Source. I’m still a bit of a noob when it comes to kernel-level programming, so I’d love to get some feedback on the architecture and security. If anyone has time to check the code, I’d love to hear your thoughts on how to make it better.

    • lucy@lemy.nlOPNederlands
      2·
      15 hours ago

      caught me! still learning the ‘professional’ way to do things. at least it’s better than ‘fix1’, ‘fix2’, ‘asdfgh’…

      • org@lemmy.org
        1·
        10 hours ago

        “Be sure to commit with a descriptive message after each change”

        Assuming you didn’t one-and-done this. Please tell me you didn’t.