Presentation: XDP in Practice: DDoS Mitigation @Cloudflare

Track: Operating Systems: LinuxKit, Unikernels, & Beyond

Location: Windsor, 5th flr.

Duration: 2:55pm - 3:45pm

Day of week: Wednesday

Level: Advanced

Share this on:

What You’ll Learn

  • Hear about Cloudflare’s pipeline used to mitigate DDoS attacks.
  • Find out about XDP and eBPF.
  • Listen how Cloudflare has been migrating to these new technologies to filter malicious traffic efficiently.


XDP is a Linux technology which brings fast networking to native Linux.

Historically Linux required specialized patches to reduce the overhead of network packet processing. XDP fixes that: it allows packet filtering, modification and retransmission with arbitrary user logic.

The logic for an XDP program is expressed using eBPF, a byte code format for programs that run in a new in-kernel virtual machine. It allows a user to run arbitrary code in kernel space, safely and with great performance. Safety is enforced by the magical eBPF bytecode runtime, which guarantees a cap on per-packet processing time. Speed is achieved by aggressively JIT-ting the eBPF program, even if it relies on data structures such as eBPF maps.

This talk will introduce the following topics:

  • The architecture of Cloudflare’s automatic DDoS mitigation pipeline

  • Our initial packet filtering solution based on Iptables, and why we had to introduce userspace offload

  • An introduction to XDP and eBPF

  • How we switched from a proprietary offload technology to XDP for network stack bypass

  • Using XDP to load balance traffic


What's the main focus of the work that you do today?


I'm currently working in the DDoS mitigation team at Cloudflare London, where I spend my time daily on a few different areas. There are in fact many different tasks to keep the DDoS mitigation pipeline up. Every time we see something new we jump on that and take a look to try to understand what's going on. I also spend some time working on the Linux kernel because at Cloudflare we have a couple of Linux patches that we wrote. And from time to time there are major changes to our pipeline. For example, introducing XDP support into the DDoS pipeline, which is a big task that is going to take quite a lot of time. This is roughly what I do.


What's the motivation for the talk?


The idea about this talk is to give people operational feedback. We want to show people how to use XDP in a production environment. At QCon the motivation is a bit broader because the audience is not composed by Linux kernel developers. We want to create some awareness around XDP because many people may not know it and we think it's just a great tool.


What is XDP?


XDP is a set of technologies which allow to filter and modify network traffic. And it allows to do that at the lowest possible layer of the network stack. It's great mainly for performance reasons. XDP is not a totally new idea: there are already similar technologies such as Netmap or DPDK. All these frameworks are well known, but the great thing about XDP is that it is included in the Linux kernel. The second thing is that it uses eBPF which allows to run C code in the kernel space but safely. An eBPF program will never crash your kernel. It's a way to offer kernel programmability maintaining safety guarantees.


Who are you talking to?


I expect the audience to be between network and system engineers that understand networking and have basic knowledges of the Linux kernel, but that's not a strong requirement because part of the talk is generic, about how Cloudflare architected its DDoS mitigation pipeline. So even though you don't have strong Linux understanding you can follow the talk.


What do you want someone to leave the talk with?


I want to talk about XDP and eBPF and show they are powerful tools to filter and modify network traffic with Linux as fast and safe as possible.

Speaker: Gilberto Bertin

System Engineer @Cloudflare London

Gilberto Bertin is originally from a little Italian town near Venice, and loves tinkering with low level systems, especially networking code.

After working on variety of technologies like P2P VPNs and userspace TCP/IP stacks, he joined the Cloudflare DDoS team in London to help filter all the bad internet traffic.


Find Gilberto Bertin at