Presentation: XDP in Practice: DDoS Mitigation @Cloudflare
Share this on:
What You’ll Learn
- Hear about Cloudflare’s pipeline used to mitigate DDoS attacks.
- Find out about XDP and eBPF.
- Listen how Cloudflare has been migrating to these new technologies to filter malicious traffic efficiently.
Abstract
XDP is a Linux technology which brings fast networking to native Linux.
Historically Linux required specialized patches to reduce the overhead of network packet processing. XDP fixes that: it allows packet filtering, modification and retransmission with arbitrary user logic.
The logic for an XDP program is expressed using eBPF, a byte code format for programs that run in a new in-kernel virtual machine. It allows a user to run arbitrary code in kernel space, safely and with great performance. Safety is enforced by the magical eBPF bytecode runtime, which guarantees a cap on per-packet processing time. Speed is achieved by aggressively JIT-ting the eBPF program, even if it relies on data structures such as eBPF maps.
This talk will introduce the following topics:
-
The architecture of Cloudflare’s automatic DDoS mitigation pipeline
-
Our initial packet filtering solution based on Iptables, and why we had to introduce userspace offload
-
An introduction to XDP and eBPF
-
How we switched from a proprietary offload technology to XDP for network stack bypass
-
Using XDP to load balance traffic
What's the main focus of the work that you do today?
I'm currently working in the DDoS mitigation team at Cloudflare London, where I spend my time daily on a few different areas. There are in fact many different tasks to keep the DDoS mitigation pipeline up. Every time we see something new we jump on that and take a look to try to understand what's going on. I also spend some time working on the Linux kernel because at Cloudflare we have a couple of Linux patches that we wrote. And from time to time there are major changes to our pipeline. For example, introducing XDP support into the DDoS pipeline, which is a big task that is going to take quite a lot of time. This is roughly what I do.
What's the motivation for the talk?
The idea about this talk is to give people operational feedback. We want to show people how to use XDP in a production environment. At QCon the motivation is a bit broader because the audience is not composed by Linux kernel developers. We want to create some awareness around XDP because many people may not know it and we think it's just a great tool.
What is XDP?
XDP is a set of technologies which allow to filter and modify network traffic. And it allows to do that at the lowest possible layer of the network stack. It's great mainly for performance reasons. XDP is not a totally new idea: there are already similar technologies such as Netmap or DPDK. All these frameworks are well known, but the great thing about XDP is that it is included in the Linux kernel. The second thing is that it uses eBPF which allows to run C code in the kernel space but safely. An eBPF program will never crash your kernel. It's a way to offer kernel programmability maintaining safety guarantees.
Who are you talking to?
I expect the audience to be between network and system engineers that understand networking and have basic knowledges of the Linux kernel, but that's not a strong requirement because part of the talk is generic, about how Cloudflare architected its DDoS mitigation pipeline. So even though you don't have strong Linux understanding you can follow the talk.
What do you want someone to leave the talk with?
I want to talk about XDP and eBPF and show they are powerful tools to filter and modify network traffic with Linux as fast and safe as possible.
Similar Talks
Tracks
-
Microservices/ Serverless: Patterns and Practices
Stories of success and failure building modern service and function-based applications, including event sourcing, reactive, decomposition, & more.
-
Distributed Stateful Systems
Architecting and leveraging NoSQL revisitied
-
Evolving Java and the JVM: Mobile, Micro and Modular
Although the Java language is holding strong as a developer favourite, new languages and paradigms are being embraced on JVM.
-
The Practice & Frontiers of AI
Learn about machine learning in practice and on the horizon
-
Operating Systems: LinuxKit, Unikernels, & Beyond
Applied, practical, & real-world deep-dive into industry adoption of OS, containers and virtualisation, including Linux on Windows, LinuxKit, and Unikernels
-
Stream Processing in the Modern Age
Compelling applications of stream processing & recent advances in the field
-
Leading Edge Backend Languages
Code the future! How cutting-edge programming languages and their more-established forerunners can help solve today and tomorrow’s server-side technical problems.
-
Modern CS in the Real World
Applied trends in Computer Science that are likely to affect Software Engineers today.
-
DevEx: The Next Evolution of DevOps
Removing friction from the developer experience.
-
Bare Knuckle Performance
Killing latency and getting the most out of your hardware
-
Tech Ethics in Action
Learning from the experiences of real-world companies driving technology decisions from ethics as much as technology.
-
Security: Red XOR Blue Team
Security from the defender's AND the attacker's point of view
-
Architecting for Failure
If you're not architecting for failure you're heading for failure
-
Architectures You've Always Wondered About
Topics like next-gen architecture mixed with applied use cases found in today's large-scale systems, self-driving cars, network routing, scale, robotics, cloud deployments, and more.
-
Observability: Logging, Alerting and Tracing
Observability in modern large distributed computer systems
-
Speaker AMAs (Ask Me Anything)
-
Building Great Engineering Cultures & Organizations
Stories of cultural change in organizations
-
Speaker AMAs (Ask Me Anything)