<![CDATA[Overlay networks in container orchestration platforms such as Docker Swarm are vulnerable to volumetric DDoS attacks, while conventional firewall solutions impose high overhead when processing large attack volumes. This paper presents the implementation and evaluation of an eBPF/XDP-based pre-filtering firewall that integrates detection rules derived from a Random Forest model to identify traffic anomalies in Docker Swarm overlay networks. Unlike previous studies that employ a single Decision Tree or process classification in user-space, this research extracts Random Forest rules into per-source-IP thresholds executed directly in the kernel via XDP and stored in an eBPF config_map to enable runtime updates without recompilation. The model was trained on the CIC-DDoS-2019 dataset (174,221 records, 65 features), achieving 99.88% accuracy, 99.90% detection rate, 0.14% false positive rate, and ROC-AUC of 0.9999. Experimental evaluation across seven testing scenarios with 10 iterations demonstrates that the XDP firewall drops over 99.9% of attack packets with a median response time of 0.69 ms, comparable to baseline conditions. CPU overhead remains low (0.92–1.18%) and throughput is maintained at approximately 920 Mbps. Differences between scenarios are statistically significant (p < 0.05) but with negligible practical effect (d < 0.25). Comparative analysis with iptables, both global rate limiting and per-IP hashlimit, indicates that all three approaches (XDP, global iptables, and per-IP iptables) effectively mitigate DDoS with comparable median response times.]]>
