I built a minimalist SPA tool using eBPF/XDP to keep ports invisible. First project in Go! by lucy in c/linux@lemmy.ml
[-] lucy@lemy.nl 2 points 2 days ago

I got in the zone :)

I built a minimalist SPA tool using eBPF/XDP to keep ports invisible. First project in Go! by lucy in c/linux@lemmy.ml
[-] lucy@lemy.nl 3 points 2 days ago

Thanks for the feedback! You’re right, my description was a bit messy. Let me clarify the goal and the use case

The goal to make a VPS on the public internet completely invisible to unauthorized scans while allowing access to services (like SSH) only after a valid SPA packet is received

Traditional SPA tools (like fwknop) often use libpcap to sniff packets or iptables to block them. In both cases, unauthorized packets still hit the kernel network stack. If an attacker floods the port with junk, the kernel still spends CPU cycles processing them before they get dropped

By using XDP, I move the "drop-all" logic to the earliest possible stage. This is where the DDoS resilience comes from we drop unauthorized traffic before sk_buff allocation, making it significantly cheaper in terms of CPU resources

It’s designed to run on the host itself, acting as a "stealth" firewall

A major advantage here is that xSpa doesn't touch the netfilter/iptables stack. Unlike fwknop, which has to dynamically manage firewall rules (often leading to conflicts with Docker, UFW, or complex rulesets), xSpa operates at a lower level. It’s completely independent of whatever you have going on in your iptables configuration

And you can’t use 802.1X to protect an SSH port on a public cloud VPS

I built a minimalist SPA tool using eBPF/XDP to keep ports invisible. First project in Go! by lucy in c/linux@lemmy.ml
[-] lucy@lemy.nl 2 points 2 days ago

caught me! still learning the 'professional' way to do things. at least it's better than 'fix1', 'fix2', 'asdfgh'..

I built a minimalist SPA tool using eBPF/XDP to keep ports invisible. First project in Go! by lucy in c/linux@lemmy.ml
[-] lucy@lemy.nl 3 points 2 days ago

I used AI to help with the eBPF parts since it's a new and complex topic for me. It also helped me translate the README and polish this post because English isn't my first language

14
I built a minimalist SPA tool using eBPF/XDP to keep ports invisible. First project in Go! (github.com)
submitted 2 days ago by lucy@lemy.nl to c/linux@lemmy.ml
10 comments fedilink

Hi guys, I wanted to share a project I’ve been working on called xSpa. It's an implementation of Single Packet Authorization that works at the XDP level.

I built this because I wanted something faster and more DDoS-resilient than traditional port-knocking or SPA tools that rely on userspace processing or iptables. Here, the "drop-all" logic happens right at the driver level.

Key bits:

 L1 verification (SipHash) in kernel space.

 L2 (ChaCha20-Poly1305) in Go userspace.

 It uses the eBPF ring buffer for communication.

This is my first Go project and my first shot at Open Source. I’m still a bit of a noob when it comes to kernel-level programming, so I’d love to get some feedback on the architecture and security. If anyone has time to check the code, I’d love to hear your thoughts on how to make it better.

2
I built a minimalist SPA tool using eBPF/XDP to keep ports invisible. First project in Go! (github.com)
submitted 2 days ago* (last edited 2 days ago) by lucy@lemy.nl to c/golang@lemmy.ml
0 comments fedilink

Hi guys, I wanted to share a project I’ve been working on called xSpa. It's an implementation of Single Packet Authorization that works at the XDP level.

I built this because I wanted something faster and more DDoS-resilient than traditional port-knocking or SPA tools that rely on userspace processing or iptables. Here, the "drop-all" logic happens right at the driver level.

Key bits:

L1 verification (SipHash) in kernel space.

L2 (ChaCha20-Poly1305) in Go userspace.

It uses the eBPF ring buffer for communication.

This is my first Go project and my first shot at Open Source. I’m still a bit of a noob when it comes to kernel-level programming, so I’d love to get some feedback on the architecture and security. If anyone has time to check the code, I’d love to hear your thoughts on how to make it better.

8
I built a minimalist SPA tool using eBPF/XDP to keep ports invisible. First project in Go! (github.com)
submitted 2 days ago by lucy@lemy.nl to c/selfhost@lemmy.ml
0 comments fedilink

Hi guys, I wanted to share a project I’ve been working on called xSpa. It's an implementation of Single Packet Authorization that works at the XDP level.

I built this because I wanted something faster and more DDoS-resilient than traditional port-knocking or SPA tools that rely on userspace processing or iptables. Here, the "drop-all" logic happens right at the driver level.

Key bits:

L1 verification (SipHash) in kernel space.

L2 (ChaCha20-Poly1305) in Go userspace.

It uses the eBPF ring buffer for communication.

This is my first Go project and my first shot at Open Source. I’m still a bit of a noob when it comes to kernel-level programming, so I’d love to get some feedback on the architecture and security. If anyone has time to check the code, I’d love to hear your thoughts on how to make it better.

8
I built a minimalist SPA tool using eBPF/XDP to keep ports invisible. First project in Go! (github.com)
submitted 2 days ago by lucy@lemy.nl to c/opensource@lemmy.ml
0 comments fedilink

Hi guys, I wanted to share a project I’ve been working on called xSpa. It's an implementation of Single Packet Authorization that works at the XDP level.

I built this because I wanted something faster and more DDoS-resilient than traditional port-knocking or SPA tools that rely on userspace processing or iptables. Here, the "drop-all" logic happens right at the driver level.

Key bits:

L1 verification (SipHash) in kernel space.

L2 (ChaCha20-Poly1305) in Go userspace.

It uses the eBPF ring buffer for communication.

This is my first Go project and my first shot at Open Source. I’m still a bit of a noob when it comes to kernel-level programming, so I’d love to get some feedback on the architecture and security. If anyone has time to check the code, I’d love to hear your thoughts on how to make it better.

lucy

joined 2 days ago