yuki-antiddos is a lightweight L3βL4 anti-DDoS ruleset built on top of nftables and Linux kernel tuning.
It is designed to mitigate CPU-exhausting network attacks with:
- minimal overhead
- kernel-level filtering
- no userspace packet processing
This project targets environments where:
- bandwidth is not the main bottleneck
- CPU exhaustion is the real problem
- provider-side DDoS protection is insufficient
Works on:
- servers
- desktops & laptops (including hostile public networks)
- routers (with minor manual adjustments)
This project was born out of necessity.
A production server was targeted with advanced L3βL4 attacks.
The hosting provider claimed to have DDoS protection β and technically, they did.
However:
- it only covered attacks that saturated bandwidth
- it did not protect against attacks designed to overload CPU
No hosting provider used at the time offered protection against the specific attack patterns being used.
Existing public rulesets:
- were inefficient
- caused unnecessary CPU load
- or failed under real attack conditions
So the decision was made to write a custom ruleset focused specifically on CPU-bound attack mitigation.
The result provided full coverage for the observed attack vectors.
Since there were no solid ready-made solutions at the time, this project was later shared publicly.
- UDP floods
- SYN floods
- Reflection & amplification attacks
- Spoofed traffic
- High PPS junk traffic at L3βL4
- L7 / application-layer attacks
- Slowloris-style attacks
- Abuse of valid application logic
- Attacks hidden behind TLS
- Payload-level inspection attacks
This ruleset is optimized primarily for minimal CPU usage under high packet rates.
Core principles:
- early packet drops
- short rule traversal paths
- avoiding expensive matches in hot chains
- no logging at all
The goal is not to analyze traffic, but to reject garbage as early and cheaply as possible.
As a result, the ruleset remains effective under large PPS floods while keeping CPU usage stable.
- 𧬠Split-Chain Architecture
- π Drop Policy
- πΆ Stateful 2-Stage UDP rate limiting
- π‘οΈ Sysctl Hardening
- π Easy Updates
β οΈ This will removeufw,firewalld, and their configs.
sudo apt update \
&& sudo apt purge ufw firewalld -y \
&& sudo apt install nftables git bc iproute2 -y \
&& git clone https://github.com/mintyYuki/antiddos \
&& cd antiddos \
&& sudo bash antiddos-yuki| Distribution | Status |
|---|---|
| Ubuntu 24.04+ | β Fully supported, recommended |
| Ubuntu < 24.04 | |
| Debian 12+ | π‘ Partially supported |
| Other distros | β Not supported |
- nftables β packet filtering backend
- git β repository cloning
- bc, iproute2 β script utilities
Updating is straightforward:
- pull the latest changes from Git
- re-run the installation script
The ruleset is designed to be easily re-applied without restarting the network or the system.
Rollback mechanisms are currently limited. Always test updates on non-critical systems first.
On some systems, nftables rules may not survive reboot due to service behavior. This is not critical but may require a custom workaround.
There are no automated tests. Most testing happens on real servers under real workloads.
Automatic rollback is incomplete. In rare edge cases, SSH access may break without proper rollback.
Oracle Cloud heavily relies on preconfigured iptables rules. This script wipes existing rules and may break networking. Not supported.
Not supported.
