Show HN: Experimental eBPF Firewall in Rust with Heuristic Risk Scoring

  • Posted 5 hours ago by n1ghtm4rr3
  • 2 points
https://github.com/N1ghttm4r33/Antivirus
I’ve been working on a small experimental eBPF/XDP-based firewall written in Rust (using Aya). It’s not a full IPS and not an antivirus — it’s a packet-level reputation engine for learning purposes.

What it currently does

Rust + eBPF (XDP) packet inspection

Per-IP risk scoring (0–1000)

Detects:

Port scans: SYN/FIN/NULL/XMAS

TTL variance (possible spoofing)

Burst traffic patterns (DoS-like)

ICMP misuse and oversized payloads

Malformed packets

Bloom filter blocklist (up to 400k entries)

LRU map tracking port access timing

Auto-blocking on critical risk

Tarpit behavior on high-risk IPs

Why I built it

I wanted to learn:

Rust in kernel-level constraints

How XDP works internally

Practical heuristics for lightweight threat detection

Efficient state tracking inside eBPF maps

What it is NOT

Not production-ready

Not a malware scanner

Not a Suricata/Snort alternative

Looking for feedback

Particularly interested in:

Map design improvements

Heuristic tuning

Performance considerations

Ideas to avoid false positives

Repo: https://github.com/N1ghttm4r33/Antivirus/tree/main

0 comments