Thanks for the feedback! You’re right, my description was a bit messy. Let me clarify the goal and the use case
The goal to make a VPS on the public internet completely invisible to unauthorized scans while allowing access to services (like SSH) only after a valid SPA packet is received
Traditional SPA tools (like fwknop) often use libpcap to sniff packets or iptables to block them. In both cases, unauthorized packets still hit the kernel network stack. If an attacker floods the port with junk, the kernel still spends CPU cycles processing them before they get dropped
By using XDP, I move the “drop-all” logic to the earliest possible stage. This is where the DDoS resilience comes from we drop unauthorized traffic before sk_buff allocation, making it significantly cheaper in terms of CPU resources
It’s designed to run on the host itself, acting as a “stealth” firewall
A major advantage here is that xSpa doesn’t touch the netfilter/iptables stack. Unlike fwknop, which has to dynamically manage firewall rules (often leading to conflicts with Docker, UFW, or complex rulesets), xSpa operates at a lower level. It’s completely independent of whatever you have going on in your iptables configuration
And you can’t use 802.1X to protect an SSH port on a public cloud VPS
I got in the zone :)