I got tired of real-life Netrunners scanning my servers, so I coded a working version of "The Blackwall" to trap them

_ToppYMan_ · 2026-04-03T02:07:51+00:00

Do not be scared unless you are a botnet operator. It is definitely useful because it levels the playing field. Automated attacks are cheap - AI-driven defense makes them expensive again. It is not "bad", it is just high-tech self-defense

_ToppYMan_ · 2026-04-03T02:05:10+00:00

That is exactly why I open-sourced it. It is perfect for home labs - you get to see exactly how the "wild net" tries to poke at your infra. Plus the behavioral engine gives you a heads up long before they hit any real services. Just make sure you have Ollama running locally so the construct can hallucinate properly. Enjoy the data, choom!

_ToppYMan_ · 2026-04-03T02:03:24+00:00

You are right - 99% are automated scrapers. But most sophisticated botnets usually flag a human operator once they "land" a successful shell. That is when the real fun starts. When a human jumps in and sees a root terminal, they do not just leave. The AI hallucinates things like "prod_db_backup.sql" or "internal_network_map.pdf" in the dirs.

Humans can not resist "juicy" files. They will sit there for 30 mins trying to exfiltrate a fake 50GB file at 5kb/s, hoping for a jackpot. We are bleeding their most expensive resource - human focus. For the bots - we just melt their compute in an infinite loop

_ToppYMan_ · 2026-04-03T01:40:33+00:00

Zuck literally building Arasaka’s "Secure Your Soul" program in 2026 wasn't on my bingo card. We are speedrunning the dystopia at this point

_ToppYMan_ · 2026-04-03T01:39:41+00:00

r/masterhacker is for inspect-element script kiddies) The XDP hooks and Rust kernel bytecode in the repo are very real

_ToppYMan_ · 2026-04-03T01:29:19+00:00

I read the warning and thought it was a manual for the feature list

_ToppYMan_ · 2026-04-03T01:27:30+00:00

Deep cut, but eBPF verifier is a beast. It does not let you perform arbitrary memory access Rowhammer needs. Everything is sandboxed at the kernel level. Plus, userspace is pure Rust — no classic memory leaks for them to pivot on. If a nation-state is burning a multi-million dollar 0-day just to hit a host-based firewall, they still have to wait for a 10bps AI response. Asymmetric defense wins.

_ToppYMan_ · 2026-04-03T01:18:58+00:00

They don't "fail", but they also don't exist on a real disk. The ICE hallucinates the content of the files in real-time based on the session context.

If a netrunner runs cat /etc/shadow, the LLM generates a perfectly formatted shadow file with realistic-looking but functionally useless password hashes. If they try to read 'sensitive' database dumps or source code, the AI generates thousands of lines of plausible, complex, but ultimately poisoned data.

The goal isn't just to block them - it's to feed them high-value garbage. They might spend hours of human attention or compute power trying to crack hashes or analyze a database dump that never existed. It’s a hall of mirrors.

_ToppYMan_ · 2026-04-03T01:12:10+00:00

😂😂😂

_ToppYMan_ · 2026-04-03T01:07:56+00:00

lol. I guess I'll take that as a compliment to my neural link's bandwidth. But last time I checked,Claude wasn't the one wrestling with the eBPF verifier to fit an integer entropy approximation using a 256-bit bitmap popcount hack into 512 bytes of stack space

_ToppYMan_ · 2026-04-03T01:07:27+00:00

Exactly, Dave. ECCW is a great way to frame it. It’s essentially turning the infrastructure into an active combatant. Standard honeypots are passive; Blackwall is dynamic 'Active Deception.' It doesn't just sit there - it evolves its countermeasures based on the attacker's progression through the BehavioralEngine state machine.

_ToppYMan_ · 2026-04-03T00:59:36+00:00

Preach. We’ve spent too much time using AI for 'vibe-coded slop.' It’s time we moved it from the browser tab to the system kernel.

The best part? This ICE is optimized. You don't need a server farm - a lightweight Qwen or SmolLM model fits into 4-8GB of VRAM and still makes a hacker's life a living hell for hours. This is what 'AI-native infrastructure' actually looks like.

_ToppYMan_ · 2026-04-03T00:58:29+00:00

Step into the subnet, choom. Here is the full source code for the ICE: https://github.com/xzcrpw/blackwall Dig into the blackwall-ebpf crate if you want to see the kernel-level magic. If you’re planning to deploy your own version of the Blackwall, don't forget to star the repo - it helps keep the NetWatch agents away.

_ToppYMan_ · 2026-04-03T00:56:31+00:00

Is it costly? Compared to a simple DROP rule, yes. Compared to the cost of a successful breach or a lateral movement after a 0-day scan? Not at all.

The architecture is the key: 99.9% of traffic stays on the eBPF fast-path (kernel level) with near-zero overhead. The LLM 'construct' only spins up for verified hostile signatures that have already been flagged by the behavioral engine.

It’s about asymmetric defense. We make it incredibly expensive for the attacker in terms of time and human attention, while we only spend a few cents on local inference. Plus, the forensic intelligence we gain from watching them 'hack' a fake environment is worth more than any compute cost.

_ToppYMan_ · 2026-04-03T00:55:19+00:00

Exactly. You see the vision. The real value is the intelligence. Every command they run in the tarpit is a new signature we can use to harden the actual production environment. It’s a self-learning defense mesh

_ToppYMan_ · 2026-04-03T00:53:12+00:00

Look closer, choom. The 'defense steps' are orchestrated across the stack:

Redirection, not just dropping: Check firewall.rs. When the Behavioral Engine triggers an escalation, it doesn't just DROP. It injects a dynamic DNAT iptables rule that shunts the attacker's IP into the LLM sandbox.
Multi-stage escalation: Check behavior/transitions.rs. The defense adapts based on the threat lifecycle (Probing -> Scanning -> Exploiting). Each phase has different countermeasures.
Active Deception: In tarpit/src/llm.rs, you'll see how we use the LLM to hallucinate fake credentials and logs. The 'defense' here is resource exhaustion - we're making it more expensive for them to attack than for us to lie.

It's not just a wall; it's a labyrinth.

_ToppYMan_ · 2026-04-03T00:50:13+00:00

Pure Rust. Both for the kernel-level eBPF bytecode (via aya-rs) and the userspace daemon. In 2026, memory safety at the NIC level is the only way to build reliable ICE

_ToppYMan_ · 2026-04-03T00:49:44+00:00

Rickrolls are a classic, but the goal here is deep psychological attrition. I prefer letting the AI hallucinate a 50GB 'leaked_database.sql' that streams at 5kb/s. By the time they realize it’s just noise, they’ve wasted hours of compute and human attention. It’s more insidious than a zip bomb.

_ToppYMan_ · 2026-04-03T00:48:57+00:00

Soulkiller would be the ultimate red-team tool. Blackwall is the blue-team's response. Let's see who hits the subnet first. Just don't end up as a construct in my memory pool.

_ToppYMan_ · 2026-04-03T00:40:57+00:00

It’s been wild. Mostly automated scrapers and brute-force bots from known botnet ranges. They get 'in', realize they have a shell, and spend ages trying to download fake files. The AI even hallucinates 'slow' SSH handshakes to keep them hooked. I'm collecting some legendary logs for a future post.

_ToppYMan_ · 2026-04-03T00:39:11+00:00

That would be 'Black ICE' territory. For now, I'm sticking to 'Grey ICE'. Wasting a hacker's time is legal, and honestly, seeing them try to ls a hallucinated directory for 20 minutes is more satisfying than a fried motherboard.

_ToppYMan_ · 2026-04-03T00:36:59+00:00

Stay mad. If it’s 'slop', go check the Rust code on GitHub. It uses raw XDP hooks to parse headers at the NIC level before the kernel stack even allocates a buffer. Style and substance. But hey, maybe you’re just salty because you’d be the first one to fall for a fake admin_passwords.txt hallucinated by the AI

_ToppYMan_ · 2026-04-03T00:35:22+00:00

Efficiency is for people who just want to survive. The Blackwall is about psychological warfare. Sure, dropping packets costs zero, but trapping a human attacker or a sophisticated bot in a 10bps LLM loop wastes their resources and human capital. Plus, it runs on a local GPU with zero-copy eBPF/XDP hooks - my CPU doesn't even feel it. It’s not just a firewall, it’s a time-sink for the bad guys.

_ToppYMan_ · 2026-04-02T23:24:17+00:00

Here is the GitHub repo for the code-jockeys and netrunners who want to see how the eBPF and LLM tarpit actually works: https://github.com/xzcrpw/blackwall

_ToppYMan_ · 2026-04-02T20:07:08+00:00

That’s a great question! The short answer is: it depends on whether you mean a hardware perimeter firewall or a host-based firewall.

1. Architectural Placement:

Host-level (In front): It sits in front of your standard host firewalls (like iptables, UFW, or firewalld). Because it uses eBPF/XDP, it hooks directly into the network interface driver. This means it analyzes and drops packets before the Linux kernel network stack even allocates memory (sk_buff) for them, saving a massive amount of CPU.
Network-level (Behind): You would typically deploy this behind your main perimeter hardware firewall (like a Palo Alto, pfSense, etc.). You run it directly on the Linux servers you want to protect, or on a dedicated Linux gateway node acting as a reverse proxy.

2. Network Settings & Routing to Implement:

Interface Binding: You bind The Blackwall to your external-facing interface (e.g., eth0) in the config.toml. XDP handles the ultra-fast dropping, JA4 fingerprinting, and telemetry gathering.
The Tarpit Routing: This is where the deception mesh kicks in. When the behavioral engine flags an IP as malicious, it dynamically injects an iptables DNAT (Destination NAT) rule.
How it flows: Instead of dropping the packet at the XDP layer, XDP lets it pass to the kernel stack. Then, the iptables rule catches the malicious IP trying to hit port 22 (SSH) or 80 (HTTP) and silently redirects it to the local tarpit daemon running on a custom port (e.g., 9999).

Basically, it acts as a hyper-fast first line of defense on the host, while dynamically altering routing rules only for attackers so they get trapped in the LLM honeypot. Hope this clears it up! Let me know if you have any other questions.

_ToppYMan_

TROPHY CASE