I got tired of iptables crashing my server during HTTP floods, so I built an eBPF/XDP firewall in Rust with zero CPU overhead 🦀
Hey everyone!
Whenever my small VPS was hit by L7 HTTP botnets or simple DDoS attacks, traditional tools like Fail2ban + iptables would actually make things worse. The sheer overhead of the Linux kernel allocating sk_buff memory for 100,000 packets per second created an Interrupt Storm that crashed my databases and locked me out of SSH.
So, I spent some time building CrabShield — a hybrid firewall written entirely in Rust.
How it works: It uses an asynchronous Tokio daemon in user-space to instantly analyze Nginx/Traefik logs (detecting 404 floods, brute-forcers, scrappers). But instead of adding iptables rules, it dynamically updates an eBPF BPF-map. The actual penalty (XDP_DROP) happens natively at the Network Interface Card (NIC) driver level.
The result? The malicious packets are dropped before the heavy Linux TCP/IP stack even knows they exist. The CPU stays under 5%, and Nginx never wakes up.
I just open-sourced it, put together proper documentation on it, and added cross-compilation support so you can just drop a static binary on your Linux box (x86_64 or ARM) and be protected.
Check out the repo and the architecture here: https://github.com/aleksgrim/crab-shield
Would love to hear your feedback, issues, or code-review if anyone is into eBPF!