A few days ago, someone decided to DDoS the entire IP range of my Hong Kong VPS provider. fail2ban did its job a little too enthusiastically — banned 20,000+ IPs, ran the machine out of memory, and triggered a kernel panic. Great. :/ That's when I realized the problem: fail2ban lets packets hit the kernel stack first, then reacts. Under a real flood, that reaction cost alone is enough to kill the machine. I went down the XDP/eBPF rabbit hole — packets get dropped at the NIC driver level, before they even touch the kernel. The other thing that annoyed me was manually managing port rules, so I built a daemon that watches for new listening ports via Netlink Process Connector and updates the BPF whitelist automatically. What it does: ~34–65 ns/packet drop on KVM VPS, auto-syncs open ports, handles IPv6 extension headers, one-liner install. What it won't do: won't save you if your uplink is already saturated — not a replacement for upstream scrubbing.
Would love feedback, especially if something breaks on your setup. First time posting here — hello everyone!