Userspace Firewall

A userspace firewall written in C that uses Linux Netfilter's NFQUEUE interface to mitigate SYN-flood and distributed SYN-flood attacks. It demonstrates packet-level processing, rate-limiting, and resilient system design — the goal is to absorb malicious traffic without disrupting the legitimate connections sharing the same wire.

How it works

Incoming packets are routed through iptables into the userspace firewall, which evaluates each one against three coordinated token buckets:

• A global bucket caps total throughput so the box never saturates.
• Per-IP buckets, stored in a hashtable, rate-limit individual sources.
• A trusted-users table preserves capacity for legitimate clients during an attack.

Legitimate users are identified continuously by traffic pattern — packets per second, protocol completeness, and repeat behavior — so the firewall keeps known-good IPs flowing even while it's actively shedding flood traffic.

Design decisions

• NFQUEUE over BPF. NFQUEUE intercepts packets before the kernel network stack processes them, which is what you want when the attack itself is the cost. BPF filters in-kernel but doesn't give you the same control over connection state at the application layer.
• Token buckets. Intuitive to reason about, simple to tune, and the standard primitive for DoS mitigation. The composition of three buckets — global, per-IP, trusted — is what makes the policy expressive without becoming brittle.
• Real attack traffic. Validation uses hping3 to generate flood traffic and curl for legitimate client requests. Success is measured by how much legitimate throughput survives the attack.

Status

The firewall mitigates DoS attacks from hping3 while preserving normal traffic from curl. Open work:

• Handling DDoS with spoofed source IPs (per-IP buckets degrade as the source set grows).
• Testing across a real Ethernet hop rather than loopback.