How I Block All 26M of Your Curl Requests (foxmoss.com)

Developer releases an open-source XDP/eBPF filter (github.com/FoxMoss/fox-xdp) that fingerprints TLS ClientHello packets in-kernel to identify and block clients like curl at wire speed. Instead of relying on user-agent strings, the filter parses Ethernet/IP/TCP/TLS headers directly in an XDP program, extracts the ClientHello cipher-suite list, sorts and hashes it into a compact fingerprint (a Jenkins-style non-cryptographic hash called FST1) and looks the result up in an eBPF hash map to decide whether to drop the packet. Using XDP gets you very close to the NIC, yielding extremely high throughput (Wikipedia-cited XDP numbers ~26M packets/sec on consumer hardware) and slightly better performance than a userspace approach in the author’s benchmarks. Technically this is notable for solving eBPF constraints: kernel verifier and tiny stack space preclude SHA256 and large temporary arrays, so the author embeds a selection-sort-like loop inside the hash to sort cipher suites in O(n^2) while keeping memory use minimal, uses bpf_xdp_load_bytes with strict bounds checks, and stores blacklist entries in a BPF_MAP_TYPE_HASH. Tradeoffs are clear: the method is efficient and harder to spoof than UA strings, but TLS fingerprints can be mimicked with effort and the in-kernel logic must satisfy verifier rules. The project demonstrates practical, high-speed bot mitigation by moving fingerprinting into the kernel.