Releases: nevinshine/hyperion-xdp
M5.0: Advanced Telemetry & Real-Time Observability
M5.0 - Telemetry & Observability
Milestone 5 introduces a comprehensive telemetry layer to Hyperion-XDP. This release focuses on giving administrators deep visibility into network traffic and defense mechanisms without compromising the high-speed performance of the eBPF/XDP datapath.
New Features: Telemetry Engine
- Real-Time Packet Metrics: Integrated eBPF map counters to track dropped, passed, and redirected packets in real-time.
- Throughput Monitoring: Added monitoring for bytes-per-second and packets-per-second (PPS) at the XDP hook.
- Verdict Logging: Detailed logging for policy decisions (e.g., why a specific Layer 7 payload was blocked).
- Userspace Exporter: A new userspace agent that polls eBPF maps and exports metrics for external visualization (compatible with Prometheus/Grafana).
Improvements
- Map Lookup Optimization: Optimized the per-CPU array lookups for statistical counters to ensure near-zero overhead during high-load traffic.
- CLI Status Command: Updated the CLI to print a snapshot of current interface statistics via
hyperion-cli status --telemetry. - Structure Alignment: Refactored map value structures to minimize cache misses during metric updates.
Bug Fixes
- Fixed a race condition in map cleanup during dynamic policy reloads.
- Corrected byte counting offset for jumbo frames.
Installation
git clone [https://github.com/nevinshine/hyperion-xdp.git](https://github.com/nevinshine/hyperion-xdp.git)
cd hyperion-xdp
make build
sudo ./hyperion-xdp load --interface eth0M3.0: Deep Packet Inspection (DPI) Engine
Hyperion M3.0: Layer 7 Deep Packet Inspection
Milestone Status: COMPLETED
Focus: Network Datapath Security (XDP)
This release upgrades Hyperion from a Layer 3/4 firewall (IP blocking) to a Layer 7 Deep Packet Inspection (DPI) Engine. It introduces the capability to inspect TCP payloads at wire speed using eBPF/XDP, allowing for content-based traffic rejection before kernel memory allocation.
Key Features (M3.0)
- Zero-Copy DPI: Implements O(N) linear scanning of TCP payloads directly in the XDP driver hook.
- Signature Enforcement: Instantly drops packets matching specific byte signatures (Current Target:
"hack"/0x6861636b). - Protocol Parsing: Added full support for Ethernet → IP → TCP header stripping and variable-length offset calculation.
- User Space Controller: Replaced pure C loader with a robust Go controller (using
cilium/ebpf) for safer lifecycle management and colored CLI output.
Architecture Changes
- Kernel (
src/kern): RemovedBPF_MAP_TYPE_LRU_HASH(Stateful M2) to prioritize raw packet parsing speed for M3. - User (
src/user): Migrated to Go-basedbpf2gotoolchain for reliable BTF generation and map pinned paths.
Verification
- Test: Validated against
netcatpayload injection attacks. - Result: Malicious packets are dropped at the driver level; standard traffic passes.
- Metric: 100% Drop Rate for signature
hack.
Note: This release requires a Linux Kernel with BTF support (5.4+).
Part of the Sentinel Research Project. Engineered by Nevin.
Hyperion M2.0: Stateful Tracking (eBPF Maps)
Mission Status: M2 COMPLETE (Active Defense)
This release upgrades Hyperion from a stateless filter to a Stateful Firewall running directly in the network driver (XDP). It introduces kernel-level memory maps to track connection history, enabling the detection of volumetric attacks based on behavior rather than just signatures.
Research Capability
- Stateful Inspection: Implemented
BPF_MAP_TYPE_LRU_HASHto store flow data in kernel space. - DDoS Mitigation: Autonomous Rate Limiting (Default: 10 packets/session).
- Zero-Copy Drop: Malicious packets are discarded at the NIC driver level before
sk_buffallocation.
Technical Changelog
feat(core): Added Flow State Table (LRU Hash) for IP tracking.feat(logic): Implemented atomic counter increment (__sync_fetch_and_add).fix(compat): Replacedvmlinux.hwith standard<linux/bpf.h>headers for broader kernel compatibility.doc(report): Added M2 Field Report to the dossier.
Verification
Validated via ping -f flood simulation:
Result: 10 packets ALLOWED -> 11th packet BLOCKED (Automatic Drop).
System Security Research Lab // Nevin Shine