Getting Started

Getting started with Kernloom

Kernloom is designed to roll out safely without being passive: Bootstrap Mode learns your baseline while already enforcing (typically starting with gentle controls).

GitHub: https://github.com/adrianenderlin/kernloom

1) Pick a placement (start with one choke point)

Choose a Linux host that sits in front of something valuable:

  • Ingress / gateway nodes (public entry points)
  • Edge hosts in front of reverse proxies (and WAFs)
  • Internal chokepoints where routing happens

Kernloom operates at L3/L4 and does not require TLS termination or payload inspection.

2) Bootstrap Mode (learn + protect)

Bootstrap Mode is the recommended starting point: it calibrates baselines and already applies safe enforcement.

In Bootstrap, Kernloom:

  • collects L3/L4 telemetry continuously
  • autotunes baselines to your environment
  • enforces with progressive, stability-first defaults (e.g., soft limiting first)
  • uses cooldown/hysteresis to avoid flapping and collateral impact

Outcome: you get immediate protection while the system learns what “normal” looks like.

3) Progressive enforcement (how escalation works)

Kernloom enforces in steps and escalates only on clear signals / non-compliance:

observe → soft limit → hard limit → block

Recommended defaults:

  • Soft limiting as the default “active” step
  • Hard limiting only for persistent non-compliance
  • Blocking as the final step, always with cooldown + auto-unban
  • Faster response for repeat offenders via reputation memory

4) What to measure (prove value fast)

Track a few signals before vs after:

  • proxy/gateway/WAF CPU usage
  • connection-table / conntrack pressure
  • p95/p99 latency for critical endpoints
  • rate-limited vs blocked traffic volume
  • incident duration (time-to-stability)

Operational tips

  • Start on one choke point, then expand.
  • Keep cooldowns enabled to avoid long-lived collateral impact.
  • In most environments, soft/hard limiting already delivers big wins — use blocking sparingly.

More deployment patterns (Kubernetes daemonset, HA, dashboards) will be added over time.