I'm currently working again on my ebpf firewall, where I'm integrating an active DDoS kind of analysis across the network, so that other backends using that firewall can synchronize their blocklists more efficiently and contribute their traffic data.

I want the firewall to be some kind of middleware(?) for Go backends, so you can plug it in and can stop worrying. At least that's the idea.

It's similar probably to what cloudflare's DDoS protection is built like, but I'm focusing on Go backends first (my own use case) and am trying to make this as decentralizable as possible.

Is gonna take a bit until I'm confident that this approach will work, but I highly recommend eBPF for blocking and traffic analysis. It's insane what you can offload to the NIC, even when it's only partial support and not fully supporting XDP. The blocks are just so much faster to do than in userspace.

▲

chatmasta a day ago | parent [-]

Yes but how’s that going to help when the IPs you’re banning are mobile IP addresses? Bright Data claims to have over 7 million of them in their network. They aren’t in contiguous ASNs because they’re sourced from regular human users unknowingly running proxy endpoints on their mobile devices.

(I agree, eBPF is very cool. Once you dive into the Linux network internals you discover a bunch of shortcuts you can take to execute code on packets before they ever leave kernel space.)

	▲	cookiengineer a day ago \| parent [-]
		Well you have to have metrics and behavioral analysis anyways because of TOR and other proxies, right? For those kind of residential IPs, you will just treat them as /32 prefixes (well if they use IPv4). There's nothing set in stone, as you have to ensure that 24hrs later they get a chance again, so bans will be temporary first and will be permanent only for repeating offenders.