The problem
A denial-of-service attack overwhelms a service with more traffic or protocol work than it can process. A distributed attack makes that pressure harder to isolate because the traffic arrives from many machines.
Once packet volume is high enough, the server can spend most of its time parsing traffic that should never have reached the application. That can exhaust CPU, queues and connection state before a conventional userspace filter has a chance to react.
The approach
I wrote the filtering logic in C with BPF and attached it through XDP. This moves the decision close to the network interface, allowing unwanted packets to be dropped before they travel through the full Linux networking stack.
The rule used several sequential checks instead of relying on a single signature. For the protected port ranges, traffic had to satisfy the expected protocol and payload conditions before it was allowed to continue. The underlying production filter is confidential, so only limited implementation detail can be shown publicly.
Operation and monitoring
I used Grafana to compare incoming traffic, accepted traffic and dropped traffic while tuning the rules. The visual feedback made it possible to spot leaks, false positives and changes in attack shape without waiting for application-level symptoms.
In the tested configuration, the design was capable of handling packet rates in the order of millions of packets per second per CPU core. Actual capacity depends on the network driver, hardware, packet size and filter complexity.
Outcome
The result was an early-drop layer that removed most unwanted traffic before it could consume normal server resources. It did not replace upstream capacity, monitoring or application security, but it provided a fast first decision point on the host.
Original project media
