Skip to content

Releases: nevinshine/hyperion-xdp

M5.0: Advanced Telemetry & Real-Time Observability

01 Feb 08:54
@nevinshine nevinshine
M5-Telemetry
49b3c98

Choose a tag to compare

View all tags
M5.0: Advanced Telemetry & Real-Time Observability Latest
Latest

M5.0 - Telemetry & Observability

Milestone 5 introduces a comprehensive telemetry layer to Hyperion-XDP. This release focuses on giving administrators deep visibility into network traffic and defense mechanisms without compromising the high-speed performance of the eBPF/XDP datapath.

New Features: Telemetry Engine

  • Real-Time Packet Metrics: Integrated eBPF map counters to track dropped, passed, and redirected packets in real-time.
  • Throughput Monitoring: Added monitoring for bytes-per-second and packets-per-second (PPS) at the XDP hook.
  • Verdict Logging: Detailed logging for policy decisions (e.g., why a specific Layer 7 payload was blocked).
  • Userspace Exporter: A new userspace agent that polls eBPF maps and exports metrics for external visualization (compatible with Prometheus/Grafana).

Improvements

  • Map Lookup Optimization: Optimized the per-CPU array lookups for statistical counters to ensure near-zero overhead during high-load traffic.
  • CLI Status Command: Updated the CLI to print a snapshot of current interface statistics via hyperion-cli status --telemetry.
  • Structure Alignment: Refactored map value structures to minimize cache misses during metric updates.

Bug Fixes

  • Fixed a race condition in map cleanup during dynamic policy reloads.
  • Corrected byte counting offset for jumbo frames.

Installation

git clone [https://github.com/nevinshine/hyperion-xdp.git](https://github.com/nevinshine/hyperion-xdp.git)
cd hyperion-xdp
make build
sudo ./hyperion-xdp load --interface eth0
Assets 2
Loading

M3.0: Deep Packet Inspection (DPI) Engine

22 Jan 08:18
@nevinshine nevinshine
M3.0
e3c70bf

Choose a tag to compare

View all tags
M3.0: Deep Packet Inspection (DPI) Engine

Hyperion M3.0: Layer 7 Deep Packet Inspection

Milestone Status: COMPLETED
Focus: Network Datapath Security (XDP)

This release upgrades Hyperion from a Layer 3/4 firewall (IP blocking) to a Layer 7 Deep Packet Inspection (DPI) Engine. It introduces the capability to inspect TCP payloads at wire speed using eBPF/XDP, allowing for content-based traffic rejection before kernel memory allocation.

Key Features (M3.0)

  • Zero-Copy DPI: Implements O(N) linear scanning of TCP payloads directly in the XDP driver hook.
  • Signature Enforcement: Instantly drops packets matching specific byte signatures (Current Target: "hack" / 0x6861636b).
  • Protocol Parsing: Added full support for Ethernet → IP → TCP header stripping and variable-length offset calculation.
  • User Space Controller: Replaced pure C loader with a robust Go controller (using cilium/ebpf) for safer lifecycle management and colored CLI output.

Architecture Changes

  • Kernel (src/kern): Removed BPF_MAP_TYPE_LRU_HASH (Stateful M2) to prioritize raw packet parsing speed for M3.
  • User (src/user): Migrated to Go-based bpf2go toolchain for reliable BTF generation and map pinned paths.

Verification

  • Test: Validated against netcat payload injection attacks.
  • Result: Malicious packets are dropped at the driver level; standard traffic passes.
  • Metric: 100% Drop Rate for signature hack.

Note: This release requires a Linux Kernel with BTF support (5.4+).

Part of the Sentinel Research Project. Engineered by Nevin.

Loading

Hyperion M2.0: Stateful Tracking (eBPF Maps)

21 Jan 13:01
@nevinshine nevinshine
M2.0
9d0aace

Choose a tag to compare

View all tags
Hyperion M2.0: Stateful Tracking (eBPF Maps)

Mission Status: M2 COMPLETE (Active Defense)

This release upgrades Hyperion from a stateless filter to a Stateful Firewall running directly in the network driver (XDP). It introduces kernel-level memory maps to track connection history, enabling the detection of volumetric attacks based on behavior rather than just signatures.

Research Capability

  • Stateful Inspection: Implemented BPF_MAP_TYPE_LRU_HASH to store flow data in kernel space.
  • DDoS Mitigation: Autonomous Rate Limiting (Default: 10 packets/session).
  • Zero-Copy Drop: Malicious packets are discarded at the NIC driver level before sk_buff allocation.

Technical Changelog

  • feat(core): Added Flow State Table (LRU Hash) for IP tracking.
  • feat(logic): Implemented atomic counter increment (__sync_fetch_and_add).
  • fix(compat): Replaced vmlinux.h with standard <linux/bpf.h> headers for broader kernel compatibility.
  • doc(report): Added M2 Field Report to the dossier.

Verification

Validated via ping -f flood simulation:

Result: 10 packets ALLOWED -> 11th packet BLOCKED (Automatic Drop).

System Security Research Lab // Nevin Shine

Loading