Skip to content

Architecture & Design

Phantom Grid is an enterprise-grade invisible security infrastructure. It operates on the principle that "You cannot attack what you cannot see."

Core Components

The architecture consists of three interlocking security layers:

1. The Kernel Layer (eBPF Cloaking & Routing)

  • XDP Hook: Runs directly at the network card driver level (eth0). It inspects every incoming packet before the Linux network stack processes it.
  • Stealth Mode: All unauthorized traffic (including nmap scans) is silently dropped. The server appears to be offline.
  • Honeypot Routing: If an attacker attempts to connect to a decoy port (e.g., 3306), eBPF modifies the TCP destination port and recalculates the RFC1071 Checksum in nanoseconds, seamlessly redirecting the attacker to a local AI Honeypot.

2. The Network Layer (Zero Trust SPA V2)

  • Single Packet Authorization: To unlock the real services (e.g., API on port 8080), authorized users must send a cryptographic UDP packet.
  • Asymmetric Encryption: SPA uses Ed25519 key pairs. The packet payload includes a TOTP (Time-based One-Time Password).
  • IP Binding (Version 2): The packet explicitly embeds the ClientIP. The Verifier checks this IP against the actual source IP, and utilizes a Replay Cache to prevent packet hijacking.
  • Dynamic Whitelisting: Upon successful verification, the Verifier updates the eBPF Map, instructing the Kernel to let traffic from this specific IP pass through.

3. The Identity Layer (SPIFFE mTLS)

  • Workload Identity: Opening the port is not enough. The application layer requires a valid mTLS certificate.
  • Fleet Manager: Issues SPIFFE standard certificates.
  • Verification: The Reverse Proxy verifies the URI SAN of the certificate (e.g., spiffe://phantom.grid/service/backend-api). If the certificate is missing or invalid, the TLS handshake is aborted.

Visual Flow

  1. Attacker: -> Port 3306 -> XDP Checksum Redirect -> Honeypot (Port 9090)
  2. Scanner: -> Port 8080 -> XDP Drop -> Timeout
  3. Authorized Client:
    • Step A: Send SPA Packet (UDP)
    • Step B: Verifier validates Ed25519, IP-Binding, Replay Cache.
    • Step C: XDP allows IP.
    • Step D: Client connects to Port 8080 via mTLS.

Phantom Grid is an open-source Zero Trust security framework.