Skip to content

FoxMoss/fox-xdp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
benchmark
benchmark
 
 
docs
docs
 
 
signatures
signatures
 
 
.env
.env
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
calculate.c
calculate.c
 
 
kern.c
kern.c
 
 
shared.h
shared.h
 
 
user.c
user.c
 
 

Repository files navigation

Fox's High Speed TLS Signature Filtering

High speed TLS based filtering able to run entirely in an eBPF filter.

Requirements

  • Linux 6.12.43+
  • libpbf and libxdp

How does it work

Instead of taking the full JA4 hash to fingerprint traffic which is slow to calculate and is hard to implement in a BPF filter, I take a Jenkins hash of the sorted supported ciphers in any given TLS request. To similar effect as JA4, keeping fingerprinting usefulness. Switching to a non-cryptographic hashing algorithm is okay here because any given attacker with enough skill could replicate the ciphers of another client, so any hash reversing would be useless or at best force the attacker to implement a different amount of hashes.

Example Usage

Generate a config file

./generate-config block-curl.fconf blacklist signatures/curl-8.15.0-arch.bin

Load the filter on to a network device

sudo ./fox-filter block-curl.fconf wlan0 fox.bpf

About

High speed TLS signature filtering

Topics

c ddos networking filtering xdp bpf epbf

Resources

Readme
Activity

Stars

54 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases 1

latest Latest
Sep 28, 2025

Packages

No packages published

Languages