Show HN: Shibuya – A High-Performance WAF in Rust with eBPF and ML Engine

Source: Hacker News

Overview

I’ve been working on Shibuya, a next‑generation Web Application Firewall (WAF) built from the ground up in Rust. The goal was to create a WAF that doesn’t rely solely on legacy regex signatures, but can understand intent and operate at line‑rate using modern kernel features.

Key Features

Multi‑Layer Pipeline

• Integrates a high‑performance proxy (built on Pingora) with rate limiting, bot detection, and threat intelligence.

eBPF Kernel Filtering

• For volumetric attacks, Shibuya can drop malicious packets at the kernel level using XDP before they consume userspace resources.

Dual ML Engine

• ONNX‑based engine for anomaly detection.
• Random Forest classifier to identify specific attack classes such as SQLi, XSS, and RCE.

API & GraphQL Protection

• Deep inspection for GraphQL (depth and complexity analysis).
• OpenAPI schema validation.

WASM Extensibility

• Write and hot‑load custom security logic using WebAssembly plugins.

Ashigaru Lab

• A deliberately vulnerable lab environment with six different services and a “Red Team Bot” to test the WAF against 100+ simulated payloads.

Dashboard

The dashboard is built with SvelteKit and offers:

• Real‑time monitoring (ECharts)
• “Panic Mode” for instant hardening
• Visual editor for the YAML configuration

Feedback Request

I’m looking for feedback on the architecture and the performance of the Rust‑eBPF integration.

Comments on Hacker News (Points: 6)