This project is an XDP (eXpress Data Path) program designed to protect FiveM game servers against a wide range of network attacks. It provides comprehensive TCP/UDP filtering, rate limiting, connection tracking, SYN flood protection (with SYN cookies), blocklist/allowlist support, deep packet inspection, anomaly detection, ML-based threat detection, and TCP bypass protection—all while running at the kernel level for high performance.
-
TCP/UDP Filtering
- Filters and inspects UDP/TCP packets that target the configured FiveM server IP/port. Other packets pass through without overhead.
-
Rate Limiting
- Per-CPU rate limit to cap the packet rate and throttle volumetric DDoS attacks.
-
Connection Tracking
- Maintains state for both UDP and TCP flows using an LRU hash map, enabling stateful inspection (e.g., blocking out-of-sequence TCP packets).
-
Dynamic Blocklist/Allowlist
- Instantly drop traffic from blacklisted IPs and short-circuit allowlisted IPs for minimal CPU overhead.
-
SYN Flood Mitigation
- Protects against SYN floods with SYN cookies, verifying TCP sequence numbers before allowing connections.
-
Deep Packet Inspection (DPI)
- Matches payload patterns against known malicious signatures in a BPF map, dropping those packets immediately.
-
Anomaly Detection
- Uses an anomaly score map to identify suspicious behavior and drop out-of-profile traffic.
-
Machine Learning-Based Threat Detection
- Integrates with an external ML model for adaptive threat detection by looking up flagged flows in a BPF map.
-
TCP Bypass Protection
- Drops suspicious TCP packets that attempt to bypass the normal 3-way handshake, preventing stealth scanning and other bypass methods.
-
High Performance
- Runs via XDP at the driver layer, ensuring minimal latency and efficient CPU usage.
-
Initial Parsing
- At the XDP hook, the program parses Ethernet and IP headers to validate packet length and determine if the traffic is IPv4.
-
Blocklist/Allowlist
- Immediately drops packets from blocklisted IPs or passes packets from allowlisted IPs—saving CPU time for known decisions.
-
Destination Check
- Only applies deeper inspection if the packet targets the configured FiveM IP and port (other traffic is passed).
-
Protocol-Specific Checks
- UDP: Prevents amplification attacks from known amplifier ports, checks DPI signatures, and consults anomaly/ML maps.
- TCP: Validates SYNs via SYN cookie, ensures the flow is in correct state, performs DPI, and checks anomaly/ML maps.
-
Rate Limiting
- Maintains a per-CPU timestamp of the last packet sent to the server. Drops if packets arrive too quickly per second.
-
Connection Tracking
- Uses an LRU map keyed by a “5-tuple” flow key to track recently seen flows. Ensures TCP packets follow legitimate handshake sequences.
-
Kernel with XDP Support
A kernel version 4.18+ is recommended withiproute2that supports XDP. -
BPF Compiler (clang, llvm)
Installclangandllvmto compile the BPF program. -
iproute2
Required to attach/detach the XDP program.sudo apt-get update sudo apt-get install clang llvm libelf-dev iproute2
4. **libbpf**:
- You will also need the libbpf library to handle BPF map interactions.
```bash
sudo apt-get install libbpf-dev
- Python:
- Install Python and necessary libraries for training the machine learning model.
sudo apt-get install python3 python3-pip pip3 install scikit-learn numpy pandas
-
Clone the Repository:
git clone https://github.com/McLovinIt101/FiveM-XDP-Filter-for-TCP-UDP-Protection.git cd FiveM-XDP-Filter-for-TCP-UDP-Protection -
Compile the XDP Program:
- You can compile the XDP filter using clang and llvm. Ensure you target the BPF architecture.
clang -O2 -target bpf -c fivem_xdp.c -o fivem_xdp.o
-
Load the XDP Program:
- Use the ip utility to attach the XDP program to a network interface (replace eth0 with the appropriate network interface on your machine).
sudo ip link set dev eth0 xdp obj fivem_xdp.o sec xdp_program- This will load the XDP program and start filtering packets on the specified interface.
-
Verifying XDP Program Status:
- You can verify that the XDP program is successfully attached using:
ip -details link show dev eth0
- Look for the xdp section in the output to confirm that the program is running.
The blocklist and allowlist are managed through BPF maps that can be accessed from user space. You can dynamically add or remove IP addresses from these lists using tools like bpftool.
-
Adding IP to Blocklist:
bpftool map update id <map_id> key <ip_address_in_hex> value 1
-
Adding IP to Allowlist:
bpftool map update id <map_id> key <ip_address_in_hex> value 1
-
Deleting IP from Blocklist/Allowlist:
bpftool map delete id <map_id> key <ip_address_in_hex>
- To find the map ID, run:
bpftool map show
To unload the XDP program from the interface, run:
sudo ip link set dev eth0 xdp offThis will remove the XDP program from the specified interface.
- FIVEM_SERVER_IP: The IP address of your FiveM server (default is 127.0.0.1 for local testing).
- FIVEM_SERVER_PORT: The UDP and TCP port number your FiveM server uses (default is 30120).
- MAX_PACKET_RATE: The maximum number of packets per second allowed from each connection (default is 13000).
- BLOCKED_IP_LIST_MAX: The maximum number of entries in the blocklist/allowlist (default is 128).
You can modify these parameters directly in the fivem_xdp.c file and recompile the program.
-
Collect Data:
- Collect normal and attack traffic data. Save the data in CSV format with appropriate labels.
-
Train the Model:
- Use the following Python script to train a machine learning model using scikit-learn:
import pandas as pd from sklearn.model_selection import train_test_split from sklearn.ensemble import RandomForestClassifier from sklearn.metrics import accuracy_score import joblib # Load data data = pd.read_csv('traffic_data.csv') X = data.drop('label', axis=1) y = data['label'] # Split data into training and testing sets X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=42) # Train the model model = RandomForestClassifier(n_estimators=100, random_state=42) model.fit(X_train, y_train) # Evaluate the model y_pred = model.predict(X_test) print(f'Accuracy: {accuracy_score(y_test, y_pred)}') # Save the model joblib.dump(model, 'ml_model.joblib')
-
Deploy the Model:
- Convert the trained model to a format that can be used in the XDP program. This may involve exporting the model to a C header file or using a custom format.
-
Load the Model:
-
Load the trained model into the XDP program. This may involve reading the model from a file or embedding it directly in the code.
-
Convert the trained model into a C array or a similar format that can be included in the XDP program.
-
For example, if the model is a decision tree, you can convert it into a series of if-else statements or a lookup table.
// Example of embedding a simple decision tree model int predict_threat(__u64 flow_key) { // Example decision tree logic if (flow_key < 1000) { return 0; // Not a threat } else if (flow_key < 2000) { return 1; // Threat } else { return 0; // Not a threat } }
-
-
Feature Extraction:
- Extract features from incoming packets and use the model to predict whether the packet is a threat.
-
Threat Detection:
- Use the model's predictions to drop packets flagged as threats.
You can use the bpf_trace_printk() function in the XDP program to print debug messages to the kernel log. This is useful for debugging packet flows and understanding how your filter is performing.
To view the kernel log:
sudo dmesg | tail