Blackwall Traps Scanners in LLM Tarpit

This is a smart security toy that crosses the line into genuinely interesting infrastructure: the eBPF layer handles fast blocking, while the LLM layer turns deception into an active control plane.

• –The kernel-side XDP/JA4 work makes this more than a chatbot demo; the LLM is only one piece of a lower-level detection pipeline
• –The fake shell turns “blocking” into “stalling,” which is often more useful against opportunistic scanners and botnet activity
• –The project is strongest as a honeypot/deception system, not a general-purpose firewall replacement
• –Local-model support via Ollama keeps the attack simulation self-contained, which matters for security tooling
• –The main tradeoff is complexity: combining eBPF, behavioral scoring, and LLM responses raises the maintenance bar fast