XDP Defence with MQTT: Real-Time Detection Pipeline

Today marks the first complete run of the new detection pipeline that ties our XDP dataplane to a remote eventing system. The demo shows a SYN-flood being generated in the bottom-left pane, pushing a deliberately aggressive burst of packets at the target host. This is the kind of pattern that traditional host-level tooling notices far too late, if at all.

In the top-left pane, the XDP Guard program is running in monitor mode, inspecting packets at line rate. As the traffic ramps up, Guard crosses the internal threshold for abnormal SYN concurrency and emits a structured detection event. This event is handed off to the userspace agent, which serialises it and publishes it to MQTT.

The bottom-right pane shows the MQTT subscriber receiving those messages in real time. This is important: the alert is born inside the kernel, evaluated in userspace, carried over the message bus, and lands on a remote consumer - all in milliseconds. It demonstrates that the architecture can support distributed response logic and multi-node intelligence without blocking or slowing packet handling.

The top-right pane is simply the device’s status interface, included to show that the system can observe, classify and report high-rate events without affecting service-level behaviour.

While this is still an early prototype, it validates the core design: kernel-level fast-path detection enriched by a lightweight userspace control plane and a decoupled, message-driven analytics layer. Every other feature - correlation, scoring, automated enforcement, and multi-node orchestration - sits on top of this foundation.

The MQTT alert is relayed via Pub/Sub into our MVP dashboard, where the structured event appears almost instantly.