Architecture & Design
Phantom Grid is an enterprise-grade invisible security infrastructure. It operates on the principle that "You cannot attack what you cannot see."
Core Components
The architecture consists of three interlocking security layers:
1. The Kernel Layer (eBPF Cloaking & Routing)
- XDP Hook: Runs directly at the network card driver level (
eth0). It inspects every incoming packet before the Linux network stack processes it. - Stealth Mode: All unauthorized traffic (including
nmapscans) is silently dropped. The server appears to be offline. - Honeypot Routing: If an attacker attempts to connect to a decoy port (e.g.,
3306), eBPF modifies the TCP destination port and recalculates the RFC1071 Checksum in nanoseconds, seamlessly redirecting the attacker to a local AI Honeypot.
2. The Network Layer (Zero Trust SPA V2)
- Single Packet Authorization: To unlock the real services (e.g., API on port
8080), authorized users must send a cryptographic UDP packet. - Asymmetric Encryption: SPA uses
Ed25519key pairs. The packet payload includes a TOTP (Time-based One-Time Password). - IP Binding (Version 2): The packet explicitly embeds the
ClientIP. The Verifier checks this IP against the actual source IP, and utilizes a Replay Cache to prevent packet hijacking. - Dynamic Whitelisting: Upon successful verification, the Verifier updates the eBPF Map, instructing the Kernel to let traffic from this specific IP pass through.
3. The Identity Layer (SPIFFE mTLS)
- Workload Identity: Opening the port is not enough. The application layer requires a valid mTLS certificate.
- Fleet Manager: Issues SPIFFE standard certificates.
- Verification: The Reverse Proxy verifies the
URI SANof the certificate (e.g.,spiffe://phantom.grid/service/backend-api). If the certificate is missing or invalid, the TLS handshake is aborted.
Visual Flow
- Attacker: -> Port 3306 -> XDP Checksum Redirect -> Honeypot (Port 9090)
- Scanner: -> Port 8080 -> XDP Drop -> Timeout
- Authorized Client:
- Step A: Send SPA Packet (UDP)
- Step B: Verifier validates Ed25519, IP-Binding, Replay Cache.
- Step C: XDP allows IP.
- Step D: Client connects to Port 8080 via mTLS.
