How Kernloom Works
The idea
Not all attacks are about bandwidth. Many are about state and resource pressure: connection churn, SYN bursts, retries, scans, and persistent non-compliance.
Kernloom focuses on L3/L4 signals and stabilizes your stack before downstream components pay the price.
Pipeline
- XDP dataplane attaches to a Linux interface and observes traffic at line rate.
- Telemetry summarizes high-signal patterns (bursts, churn, scan-like behavior, non-compliance).
- Decision agent (FSM) applies progressive enforcement:
observe → soft limit → hard limit → block → cooldown → reputation memory
Why progressive enforcement matters
- safer in NAT-heavy reality
- fewer false positives
- predictable operations (cooldown + auto-unban)
- faster response on repeat offenders (reputation memory)