EBAF – eBPF Based Ad Firewall

39 pointsposted 12 hours ago
by ARob109
(github.com)

45 Comments

mfro

10 hours ago

Absolutely no need to do kernel level packet filtering for this. You can use the absurdly easy hostfile approach, or a simple self-hosted DNS server. This looks entirely LLM generated as well.

Also... who the hell tries to make changes to a user's sudoers file from their install script? This is an awful project.

pogue

5 hours ago

Can you share a pre made hosts blocklist that is regularly updated & works on Spotify? The ones I've come across are all dated or still let ads through.

user

10 hours ago

[deleted]

add-sub-mul-div

10 hours ago

The great thing about AI coding is that you never have to learn enough judgment or context to know if something should be written a certain way or not!

therein

10 hours ago

The whole thing is AI generated and you can tell from subpar decisions made at every turn.

Retr0id

10 hours ago

I got AI-generated vibes from the banner image, which surprised me because I wouldn't expect someone to generate something so trivial.

So I investigated, lining up the real Spotify logo in GIMP - it doesn't match up, the details are different!

But then I checked the image metadata:

`Actions Software Agent Name : GPT-4o, OpenAI API`

Doh, I should've saved time and checked that first. TIL OpenAI explicitly watermarks their output images via metadata. It even has c2pa signatures (which I didn't bother trying to verify)

Retr0id

10 hours ago

After that hint, I thought I'd give the code a quick audit. The install script adds sudoers rules to allow ebaf executable to be run with no password[0] (and also to `pkill -P` any PPID).

The ebaf executable checks the current directory by default, to look for the ebpf code to load[1].

So, running the install script this allows any ebpf code to be loaded into the kernel without a sudo password. You probably don't want this! (I'm pretty sure that'd be enough for a root LPE)

Further, the ebaf executable writes logs to a file named `/tmp/ebaf-stats.dat` [2]. An unprivileged user could put a symlink here, causing the destination file to get clobbered.

It also re-resolves all domain names every 600 seconds. Given that there are over a thousand domains listed, that's quite a lot of DNS traffic! [3]

Also, the "web dashboard" claims to listen on localhost, but it actually listens on INADDR_ANY [4]

[0] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454...

[1] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454...

[2] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454...

[3] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454...

[4] https://github.com/Kazedaa/eBAF/blob/8f88cefe0b5a837aa99f454...

bobbyraduloff

10 hours ago

The README itself is also very much in the style of ChatGPT. It loves the to overuse rhetorical questions.

What I find most interesting is that it apparently didn’t trigger their content filters which, at least previously, were also blocking piracy stuff.

_benj

11 hours ago

How is this different than other ip or dns ad blockers?

I see that it all comes down to a blacklist of urls. Wouldn’t eBPF just make things more complicated?

jeroenhd

11 hours ago

Effectively, not a lot. eBPF does have the capabilities to do more than a regular firewall, but this just seems to do an IP lookup in a blacklist file.

If you buy a fancy network card from a company like Nvidia, you could run the eBPF program on the card itself and the kernel wouldn't even see the packet come in. This use case doesn't seem like it'd need that kind of performance tweak, though.

It's useful as a fun project to experiment with eBPF, though!

blipvert

10 hours ago

Do you have a model number for an Nvidia offload card? I thought that only Netronome did them and that they were kinda long in the tooth now. I’d love to get my hands on one.

ranger_danger

11 hours ago

It's one program that blocks everything everywhere, and doesn't rely on specific firewall configurations or DNS resolvers to be able to block requests.

And because it uses eBPF, technically (it probably doesn't support this yet but it could) you could block requests at the application level, even if it uses TLS, before it ever even gets to a resolver or firewall.

Taking that fact even further, this means that not only well-behaved resolv.conf-reading applications are blocked, but programs that use their own DoH/DoT could be as well. Your browser wouldn't even need an ad-blocker extension. Your local resolver and your VPN-specific resolver both continue to work normally while also blocking what you want.

benreesman

11 hours ago

This is the killer eBPF usecase for the non-engineer user: getting underneath TLS and DoH (which have both been effectively weaponized at this point).

No means no, my computer my choice. sudo build a real product.

JoshTriplett

10 hours ago

> getting underneath TLS and DoH (which have both been effectively weaponized at this point).

Only to the extent you are running software you don't trust. If you're running a user agent (e.g. a browser), rather than an app, you can easily do full ad-blocking much more effectively.

Calling TLS and DoH a weapon because apps you don't trust can use them to maintain integrity of their connections is like calling secure coding practices a weapon because they make jailbreaking harder.

benreesman

8 hours ago

Yeah I'm just going to have to completely disagree at a militant volume. Keeping the contents of connections made on my behalf secure from my own inspection is fucked up and I want harm to befall those that do so.

I'm not a little angry about surveillance capitalism, I'm start a war angry about it.

JoshTriplett

7 hours ago

I agree with your frustration, and just fundamentally disagree with your attribution of blame. Security is a feature. Software that works against its user is an awful thing. Security features that help secure software for the benefit of users do not become bad just because they also help secure software that works against the user. The solution there is not running software that works against its user.

Eliminating buffer overruns across the entire industry will also make it harder to e.g. jailbreak game consoles or iOS devices. That doesn't make it bad to eliminate buffer overruns; the problem is with devices requiring jailbreaking in the first place, rather than serving their users.

If you believe that TLS and DoH do more harm than good, you may be in a bubble where e.g. things like pihole are common, rather than being obscure tools used by highly technical users who tolerate and debug breakage.

benreesman

7 hours ago

Maybe we agree and maybe not, I'm unsure.

I don't think there is any justification for shipping software with exploitable security problems on purpose, and it sounds like I maybe gave you the impression I do. I think all software should be as secure as it's feasible to make it.

But I don't think that security should ever operate against the person who bought the device and is sitting in front of it. I don't think anything on my device or anyone's should be able to phone home in a way that is secure from me: and so I am very happy with things like eBPF that make root mean root.

I think that there are certain things you do not do as a professional, as a moral person, as a person who wants to be proud of what you've done. And both TLS and DoH are now routinely used by vendors to do things that users don't know about, don't want, wouldn't consent to if they knew, and I think people should go to jail over it.

I worked in big consumer internet during the period when it was beloved, and during the period where it was starting to get sketchy, and at some point I walked away from millions in unvested stock because a line had been crossed.

Near as I can tell a lot of us with reservations left, and those that remain are those with few if any qualms of any kind.

JoshTriplett

5 hours ago

> I think all software should be as secure as it's feasible to make it. But I don't think that security should ever operate against the person who bought the device and is sitting in front of it.

I don't think that software, in general, should place the interests of the software author above the interests of the user.¹ I just don't think that's specific to TLS or DoH; it's a general problem of running software that doesn't operate in your best interests. And I feel like laying the blame for that on TLS or DoH, rather than on the software author working against the user's interests, has the net result of making it harder to make software more secure, because it contributes to pushback against those technologies in general.

¹ Modulo some reasonable caveats and subtleties like following standards, which place one interest of the user above another interest of the user.

I think TLS and DoH are net wins in the world, due to all the positive benefits they have, despite the fact that they (like many many other technologies) are also sometimes used for anti-user purposes.

And, of course, if you control a device that includes controlling the software running on the device, which includes arbitrarily debugging, intercepting, or modifying it. I'm glad to see people who legitimately control a device using whatever technologies they desire to prevent software from working against their interests. (Though I continue to believe the right solution there is to not run software that runs against your interests in the first place, whenever possible.)

benreesman

4 hours ago

Well fortunately for user choice there are people like me who are going to build and distribute software that is not prescriptive about what certificate authorities users should be compelled to accept as net wins as well as people like you who apparently are willing to navigate a twisty rhetorical maze before arriving back at: status quo, intact.

my intention is to render your net win calculation irrelevant by letting users decide and educating them about the implications of trusting people like you.

user

11 hours ago

[deleted]

sbarre

11 hours ago

> We’re not here to pirate. We’re here to opt out.

Then "opt out" by not using the product? No one has a right to use Spotify. If you don't like the terms, don't use the service.

I'll never get why people smart enough to build something technically impressive like this feel the need to throw these completely childish pseudo-rationalizations out there. Yeah, you are stealing actually.. Is it that big of a deal? Nope. But it still is what it is.

Do they think this kind of false-moralizing will protect them from DMCA takedowns or something?

breppp

10 hours ago

Artists are earning pennies of what subscribers are paying? then let's not pay, that will show them artists

immibis

8 hours ago

Some people choose to pirate media and then pay the full price to the artists directly.

const_cast

3 hours ago

These people are largely theoretical - I've heard this many times, but I've never seen it.

Regardless, I don't necessarily think piracy is immoral. There's a lot of situations where it's the only viable option. However, we should acknowledge that most people are pirating because they are cheap. Which, to me, isn't a sustainable model for anyone. Pirates want music, too, and if they keep this up then they lose as well.

toomuchtodo

10 hours ago

You're "stealing" (if you can even call it that) from Spotify, not artists. As of July 2025, Spotify has a market cap of $145.48B USD. This makes Spotify the world's 118th most valuable company by market cap. They'll be fine. No one has a right to revenue or profit.

Mental models differ, it is what it is. Stealing from artists is of course always poor form, don't do that.

sbarre

10 hours ago

Curious where exactly do you draw your line when it comes to who it's ok to steal from and who it's not? Do you have a formula or something?

Or is just an arbitrary bar of convenience that you set case-by-case depending on how you want to feel about it?

> No one has a right to revenue or profit.

I certainly didn't imply anything this universal. But as a society we do have laws, and if you engage with Spotify's product, you agree to their terms, and in that very specific context they do have a legal right to see their terms held up.

Now.. will they go after you for bypassing their ads? Probably not. Will your actions have a negative impact on them? Again, nope.. I definitely agree with you that they'll be fine..

But then the people who make these products that facilitate this kind of activity should just have the conviction to stand by their actions and say "yep we're helping you steal from Spotify".

Just own it, especially if your justification is "it doesn't matter anyways".

toomuchtodo

10 hours ago

"Can this multinational company afford it?" and "Will this incur a felony or similar judicial record?" is my bar, broadly speaking. Never take from someone who cannot afford it, or where it would be material to them. Bits, never fiat. Laws are just words, how you decide which to ignore is a function of potential legal exposure and your belief system.

I pay for Spotify because I’m lazy and can afford it, but rip whatever I want from YouTube, for example. I own it, I do not care. Why would one care what random strangers think of them?

sbarre

10 hours ago

> Laws are just words

Spoken from a place of security, comfort and privilege no doubt.. All afforded by the laws of the land. ;-)

toomuchtodo

10 hours ago

Strange argument. The laws bind economically to extract (“these bits are gated, you must pay or go to jail for not paying for them” in this context), they are not affording what you describe. Ignoring or evading them is where the security, comfort, and privilege come from. Freedom is being ungovernable.

“Laws are threats made by the dominant socioeconomic-ethnic group in a given nation. It’s just the promise of violence that’s enacted and the police are basically an occupying army.” is a fun quote on this. Laws don’t protect me, they protect those with property and capital, as well as large companies that have limited to no liability. I protect me.

Anyway, I block ads and don’t care.

immibis

8 hours ago

Doubt. All the most successful people are the ones who push the limits of which laws they can ignore. Just see any big tech founder-CEO.

immibis

8 hours ago

Spotify also doesn't have a right to unmodified client systems.

If their server sends you bits, why should you delete the bits? If you accidentally sent them the wrong bits, do you think they'd be nice enough to delete them? Pre-emptively before receiving any notification from you?

Terms are irrelevant and in most cases have no legal power at all. Fighting back with technical power (as YouTube has done) is fair game though.

The golden rule of capitalism is to do everything in your physical ability to improve your individual situation at the expense of others. Feel free to come to an agreement with Spotify, that neither of you will do capitalism against the other. Until then, you should probably play the game or you will lose by default. Spotify isn't that important but you should definitely get into the mindset of playing the hand you're dealt.

sciencesama

11 hours ago

extend this like pihole so we can use it for reddit and facebook and instagram ad blocking using proxy !

user

10 hours ago

[deleted]

user

11 hours ago

[deleted]

bobbyraduloff

10 hours ago

Kernel level packet filtering to avoid Spotify ads is about the same level of mental gymnastics as the GPT-generated “we’re not pirates” argument in their README.

While Spotify is obviously an immoral company, you, the person reading this, are not entitled to free 24/7 cloud-streamed music on demand. They are a business and they don’t owe that service to you on principle.

If you don’t like them as a company, there’s way to purchase the music directly (remember how we all used the iTunes Store back in the day) and there are other streaming services whose morals you might find more acceptable.

To be clear, I’m not making some grand “piracy is evil” argument, but I’m saying that to publish software enabling piracy with the justification that a business’ free service is not good enough value for you is a bit out there.

NoMoreNicksLeft

10 hours ago

>you, the person reading this, are not entitled to free 24/7 cloud-streamed music on demand.

I took it anyway. I have a few terabytes of flac that I stream through Plex when I feel like it. I dare anyone to stop me. Pay hard drive manufacturers, not IP companies.

Marsymars

10 hours ago

> Kernel level packet filtering to avoid Spotify ads is about the same level of mental gymnastics as the GPT-generated “we’re not pirates” argument in their README.

This jumble of sentences stuck out to me as logically incoherent, but not necessarily LLM-generated. I guess I need to update my mental model a bit to account for more things being being LLM-generated.

immibis

8 hours ago

Neither is Spotify owed anything from you. They aren't owed money, unless you agreed to pay them money (actually agreed, not clickwrap). They aren't owed ad views, because clickwrap agreements to watch ads generally don't actually have any legal force. And if they think they do, let them sue you and find out. You don't owe them advance compliance according to what would benefit them the most, but they benefit greatly from you thinking you do.

This applies to a lot of things, not Spotify in particular.

alephnerd

11 hours ago

I'm curious about it's eBPF coexistence capabilities. If you are running an XDR like Crowdstrike, this might interfere with their eBPF sensors for Linux desktops.

jekwoooooe

11 hours ago

Not proposing a moral opinion but this is still piracy no matter how much they deny it. The contract with free Spotify is you receive ads.

GuinansEyebrows

10 hours ago

no advertiser has the right to tell me how to process their advertising data. hypothetically, once it's in my network, i can do whatever i please with it.

jekwoooooe

9 hours ago

That doesn’t make any sense that’s like saying you should be allowed to trick your bank into giving you free money because you processed their website “in your network”

GuinansEyebrows

8 hours ago

what? not at all. nobody thinks its bad that you're allowed to skip ads on podcasts by fast-forwarding (outside of advertisers). the ad has been delivered to my device by the advertiser. it's my choice to ingest it into my physical/mental body, or not.

therein

10 hours ago

>once it's in my network, i can do whatever i please with it.

But that literally applies to any online licensing check flow.

And extends to binaries that are on your disk. I can patch that conditional jump, it is on my hard drive.