Security●●Solid
CargoWall – eBPF Firewall for GitHub Actions
eBPF firewall for GitHub Actions stops supply chain attacks at the kernel level.
Big BrainSolve My Problem
caleblloyd
1422mo ago
Back to browse
Shibuya – A High-Performance WAF in Rust with eBPF and ML Engine
by germainluperto·Feb 23, 2026·22 points·18 comments
AI Analysis
●●●BangerWizardryBig BrainBold Bet
eBPF kernel drops + dual ML engine beats Cloudflare in latency, single microsecond blocks.
Strengths
- •Genuine technical depth: dual ML pipeline (IsolationForest for anomaly, Random Forest for attack classification) with SHAP explainability—not just rule matching.
- •Kernel-level eBPF/XDP filtering at ~1µs latency eliminates userspace overhead entirely; credible claim against cloud-hosted WAFs.
- •WASM plugin extensibility with sandboxing allows custom security logic without forking; hot-reload in production is rare and valuable.
Weaknesses
- •Linux-only (no Windows/macOS), severely limiting addressable market for enterprises with heterogeneous infra.
- •Metrics dashboard (4297 SQLi blocked, etc.) appear to be from a demo/test environment; real-world production telemetry missing to validate claims at scale.
Category
Target Audience
DevSecOps engineers, infrastructure teams, enterprise security ops evaluating WAF alternatives
Similar To
ModSecurity · Cloudflare WAF · AWS WAF
Post Description
Hi HN,
I’ve been working on Shibuya, a next-generation Web Application Firewall (WAF) built from the ground up in Rust.
I wanted to build a WAF that didn't just rely on legacy regex signatures but could understand intent and perform at line-rate using modern kernel features.
What makes Shibuya different:
Multi-Layer Pipeline: It integrates a high-performance proxy (built on Pingora) with rate limiting, bot detection, and threat intelligence.
eBPF Kernel Filtering: For volumetric attacks, Shibuya can drop malicious packets at the kernel level using XDP before they consume userspace resources.
Dual ML Engine: It uses an ONNX-based engine for anomaly detection and a Random Forest classifier to identify specific attack classes like SQLi, XSS, and RCE.
API & GraphQL Protection: Includes deep inspection for GraphQL (depth and complexity analysis) and OpenAPI schema validation.
WASM Extensibility: You can write and hot-load custom security logic using WebAssembly plugins.
Ashigaru Lab: The project includes a deliberately vulnerable lab environment with 6 different services and a "Red Team Bot" to test the WAF against 100+ simulated payloads.
The Dashboard: The dashboard is built with SvelteKit and offers real-time monitoring (ECharts), a "Panic Mode" for instant hardening, and a visual editor for the YAML configuration.
I'm looking for feedback on the architecture and the performance of the Rust-eBPF integration.
Similar Projects
Security●Mid
Raypher – a Rust-Based Kernel Driver to Sandbox "Bare Metal" AI Agents
Kernel-level agent sandboxing via eBPF, but alpha code with kernel panics and unproven reliability.
Bold BetWizardry
Kidiga
103mo ago
Security●●●Banger
Inner Warden – Self-Defending Security Agent: eBPF+LSM+XDP (Rust, 29MB)
Six eBPF kernel programs block attacks at wire-speed before Falco even sees them.
WizardrySolve My ProblemDark Horse
maiconburn
202mo ago
Developer Tools●●●Banger
Godshell – Talking in Natural Language to Your Kernel via eBPF and LLMs
Direct eBPF kernel tracing beats slow CLI probing for AI sysadmin tasks.
WizardryBig BrainNiche Gem
raulgooo
302mo ago
Security●●Solid
Poolnarc – catch hidden Linux cryptominers from two eBPF hooks
eBPF behavioral detection catches miners spoofing thread names without signature databases.
WizardryBig Brain
r3tr0
512d ago
Developer Tools●●●Banger
Live, system-wide USB transfer sniffer in eBPF
eBPF-based USB sniffer bypasses usbmon entirely using universal URB hooks for zero-setup debugging.
WizardrySolve My ProblemDark Horse
r3tr0
904d ago