Building a production BPF/XDP scanner is an exercise in humility. Orphaned XDP programs, async Rust deadlocks, stale binaries, silent TC failures -- here is everything that broke and what we did about it.
We scanned 138 Sui validators across 20 countries using kernel-level temporal fingerprinting. 41% have SSH exposed, 57 run unexpected internet-facing services, and 9 confirmed CVEs sit on 4 hosts -- including 2 critical at CVSS 9.8. Here is what we found and why it matters for DeFi.
We're open-sourcing the tooling behind NullRabbit's autonomous kernel-level network defence: the scanning, intelligence, observation, and adversarial validation layers that feed our enforcement pipeline. Six tools, MIT licensed, with more coming.
Inline enforcement operates at machine speed, but trust cannot. IBSR is a validation step: using XDP to observe real traffic, simulate enforcement, and generate evidence before any blocking is enabled.
Machines attack at machine speed. Humans defend at human speed. We propose a governance framework for closing that gap--not through blind trust, but through demonstrated competence.
The XDP logic came together in days. The infrastructure to prove it works took weeks. That ratio matters more than most people realise.
Solana reportedly absorbed a sustained ~6 Tbps volumetric DDoS attack with no downtime. That's real progress. It's also not the same thing as being protected.
I assumed Cloudflare would protect me from all denial-of-service attacks. It doesn't. A reality check on origin IP bypasses, non-HTTP floods, and why the gap between the edge and your kernel matters.
Demonstrating the complete XDP detection pipeline with MQTT eventing. Shows kernel-level SYN-flood detection, userspace processing, and real-time remote alerting - all in milliseconds.
Validator nodes face constant exposure. This deep dive explains how NullRabbit Guard uses eBPF and XDP to enforce security directly inside the NIC driver, dropping scans and abnormal traffic at line rate before they reach the kernel or your node.