BAUXITENETWORKS
DOCS demo
Support
# Reference Simulation: Volumetric Flood Protection and Edge Forensic Telemetry

**Bauxite Technical Demonstration Suite**  
*June 2026*

---

```text
Reproducibility

Repository:
docs/demos/security_telemetry/

Environment:
Ubuntu 22.04
Kernel 5.15+

Duration:
~30 seconds

Output:
MCAP recording
Packet drop metrics
Control loop telemetry

Objective:
Demonstrate XDP filtering and local forensic telemetry generation
under volumetric flood conditions.
```

---

## Abstract
Volumetric network floods targeting robotic middleware (e.g., DDS/RTPS traffic) can exhaust host CPU resources and introduce jitter into real-time processing, risking system unavailability. This paper evaluates a reference simulation of **Bauxite's Security Telemetry and eBPF/XDP Defense** system. We simulate a high-rate volumetric UDP flood of spoofed RTPS packets over a 20-second window. Under standard operation, the edge node maintains a stable 20 Hz point cloud and sub-millisecond control loop latency. During the flood, Bauxite's XDP filters discard incoming packets containing unauthorized GUID prefixes directly at the network interface layer. The simulated workload maintained stable control-loop timing throughout the attack phase. High-fidelity forensic metrics, including XDP packet drop statistics, ring buffer queue states, and cryptographic rotations, are written to an on-device MCAP log, creating an immutable audit trail with zero cloud storage dependencies.

---

## 1. Introduction
Autonomous edge nodes operate in remote, distributed environments. A common attack vector is volumetric denial-of-service: a rogue node connected to the local network broadcasts garbage packets to systems-critical ports (such as the DDS RTPS ports).

Even if the application layer discards these packets, the operating system kernel must still process the interrupts, allocate socket buffers, and traverse the protocol stack. This process consumes CPU cycles and introduces jitter into the primary control loops. Bauxite resolves this by blocking malicious packets at the earliest possible stage: the network interface card (NIC) driver itself, using eBPF/XDP.

---

## 2. Security Telemetry and XDP Architecture
Bauxite's defense-in-depth model relies on two core components:

1. **Kernel-Level Packet Dropping**: An eBPF program is attached to the network interface XDP driver hook. When a packet is received, the filter checks the RTPS header. If the GUID prefix does not match the list of authorized nodes, the packet is instantly discarded via `XDP_DROP`.
2. **Edge MCAP Writer**: Discard events, kernel ring buffer utilization, and cryptographic key rotations are collected and written directly to local storage in MCAP (MCAP Container Archive Protocol) format. This creates an on-device forensic trail that is replayable locally, avoiding cloud transport fees.

---

## 3. Methodology & Test Environment
The simulation environment is designed to evaluate Bauxite's volumetric flood protection performance:
* **Host Setup**: Standard Linux testbed (Ubuntu 22.04 LTS, kernel 5.15).
* **Setup**: Traffic generated using loopback network socket generator to broadcast packets targeting RTPS port configurations. Virtual workload runs a simulated control loop and sensor feedback stream.

The simulation is evaluated across three sequential phases:
* **Phase 1: Baseline Operation**: The autonomous node operates normally, receiving valid sensor data. Telemetry is written to MCAP.
* **Phase 2: Volumetric UDP Flood**: A packet generator is launched to transmit 50,000 UDP packets/second containing an unauthorized GUID prefix (`DEADBEEFCAFE...`). Bauxite's drop rates and system stability are recorded.
* **Phase 3: Forensic Replay & Audit**: The generated MCAP file is inspected to verify that all drops and queue statuses were accurately captured.

### Running the Demo
To run this simulation on the loopback interface for 20 seconds per act, execute:
```bash
./docs/demos/security_telemetry/run.sh lo 20
```
This configuration writes simulated telemetry logs to `/tmp/bauxite_recordings/`.

### Visualizing in Foxglove
Open Foxglove Studio, select the recorded MCAP file, and load the custom layout `docs/demos/security_telemetry/foxglove_layout.json` to inspect the 3D point cloud and packet drop logs.

---

## 4. Results and Performance Analysis

Telemetry data aggregated across 10 simulation trials is summarized in the table and chart below.

### System Resilience and Telemetry Capture Under Volumetric Attack (10-Trial Summary)
| Metric | Standard Stack (Unmitigated) | Bauxite Protected |
| :--- | :---: | :---: |
| **Malicious Packet Processing** | Kernel stack parsing and interrupt overhead | Dropped at network driver interface (XDP) |
| **Control Loop Jitter** | Elevated timing variance under packet flood | Stable control-loop timing maintained |
| **Sensor Data Framerate** | Degraded due to socket queue exhaustion | Stable at target rate (20 Hz) |
| **Kernel Queue Utilization** | High queue depth and buffer drops | Low queue utilization |
| **MCAP Log Generation** | Disabled | Enabled (Local forensic logging) |

### Volumetric Flood Drop Rate vs CPU Load
![Volumetric DDoS Attack Timeline](security_telemetry_chart.jpg)

During Phase 1, the system operates cleanly with zero drops. In Phase 2, the attack simulator broadcasts a high-volume volumetric flood of unauthorized RTPS packets. Because Bauxite drops these packets at the XDP level, the operating system kernel does not allocate socket buffers or invoke network stack processing.

As a result, CPU utilization showed no significant increase during the simulation. The simulated workload showed no observable increase in queue depth or processing latency. The 3D point cloud visualization maintains its stable 20 Hz refresh rate. The Edge MCAP writer successfully archives all drops and system status metrics into a compact file.

---

## 5. Conclusion
Protecting edge assets against volumetric floods is vital for operational availability. Bauxite's eBPF/XDP filter drops spoofed packets before normal kernel processing, shielding the robotic control stack from CPU starvation and generating high-resolution forensic evidence locally.

---

## Appendix: Raw Volumetric Attack and CPU Load Log

This appendix compiles telemetry records tracking packet transmission, XDP drop counts, host CPU load, and point cloud framerates during the volumetric attack simulation, aggregated across 10 trials:

| Time (s) | Phase | Sent Packets | XDP Drops | CPU Load (%) | Point Cloud (Hz) |
| :---: | :---: | :---: | :---: | :---: | :---: |
| **0.0** | Clean | 0 | 0 | ~3.4% | 20 Hz |
| **5.0** | Clean | 0 | 0 | ~3.4% | 20 Hz |
| **10.0** | Clean | 0 | 0 | ~3.4% | 20 Hz |
| **15.0** | Clean | 0 | 0 | ~3.4% | 20 Hz |
| **20.0** | Clean | 0 | 0 | ~3.4% | 20 Hz |
| **21.0** | Attack | approx. 50k | approx. 50k | ~3.4% | 20 Hz |
| **22.0** | Attack | approx. 100k | approx. 100k | ~3.4% | 20 Hz |
| **25.0** | Attack | approx. 250k | approx. 250k | ~3.4% | 20 Hz |
| **30.0** | Attack | approx. 500k | approx. 500k | ~3.4% | 20 Hz |
| **35.0** | Attack | approx. 750k | approx. 750k | ~3.4% | 20 Hz |
| **40.0** | Attack | approx. 1M | approx. 1M | ~3.4% | 20 Hz |