eBPF/XDP (Linux)
Kernel-level packet filtering using XDP. Implemented and functional on Linux 5.15+.
- IP blocklist with O(1) lookup
- SYN cookie generation
- Per-CPU statistics
- Requires:
CAP_NET_ADMIN,CAP_BPF
DDoS Mitigation Platform
A Rust-based security platform combining eBPF/XDP kernel filtering, WASM hot-reload rules, and L7 WAF protection. Currently in beta (v0.9.6).
Architecture
Section titled “Architecture”WASM Rules Engine
Hot-reloadable WAF rules using Wasmtime 29. No restart required.
- 3 example modules included
- Fuel-limited execution (100K instructions)
- JSON-based request context
- Sandboxed execution
L7 WAF
Production-ready HTTP/HTTPS reverse proxy with 100+ attack patterns.
- SQL injection (~30 rules)
- XSS detection (~35 rules)
- Path traversal (~21 rules)
- TLS 1.2/1.3 (Rustls 0.23)
Distributed (Beta)
NATS-based messaging for multi-node deployments.
- Real-time event sync
- Fleet management
- CRDT state sync (partial)
Quick Start
Section titled “Quick Start”# Clone and buildgit clone https://github.com/fabriziosalmi/secbeat.gitcd secbeat && cargo build --release --workspace
# Start with Docker Composedocker-compose up -d
# Test the proxycurl -k https://localhost:8443/Configuration Example
Section titled “Configuration Example”[platform]mode = "l7"environment = "development"
[network]public_port = 8443backend_port = 8080
[waf]enabled = trueblock_sql_injection = trueblock_xss = true
[metrics]enabled = truebind_address = "0.0.0.0:9191"Current Status
Section titled “Current Status”| Feature | Status | Notes |
|---|---|---|
| L7 HTTP/HTTPS Proxy | ✅ Stable | Hyper 1.x, Rustls 0.23 |
| WAF Engine | ✅ Stable | 100+ patterns, latency histograms |
| eBPF/XDP | ✅ Implemented | Linux only, 232 lines |
| WASM Runtime | ✅ Implemented | Wasmtime 29, 3 modules |
| SYN Proxy | ⚠️ Prototype | 729 lines, functional |
| CRDT Sync | ⚠️ Partial | Basic implementation |
| Orchestrator | ⚠️ Beta | Hardcoded config |
Built with Rust for memory safety and performance.