SESSION + Live Q&A

XDP in Practice: DDoS Mitigation @Cloudflare

XDP is a Linux technology which brings fast networking to native Linux.

Historically Linux required specialized patches to reduce the overhead of network packet processing. XDP fixes that: it allows packet filtering, modification and retransmission with arbitrary user logic.

The logic for an XDP program is expressed using eBPF, a byte code format for programs that run in a new in-kernel virtual machine. It allows a user to run arbitrary code in kernel space, safely and with great performance. Safety is enforced by the magical eBPF bytecode runtime, which guarantees a cap on per-packet processing time. Speed is achieved by aggressively JIT-ting the eBPF program, even if it relies on data structures such as eBPF maps.

This talk will introduce the following topics:

  • The architecture of Cloudflare’s automatic DDoS mitigation pipeline

  • Our initial packet filtering solution based on Iptables, and why we had to introduce userspace offload

  • An introduction to XDP and eBPF

  • How we switched from a proprietary offload technology to XDP for network stack bypass

  • Using XDP to load balance traffic

Speaker

Gilberto Bertin

System Engineer @Cloudflare London

Gilberto Bertin is originally from a little Italian town near Venice, and loves tinkering with low level systems, especially networking code. After working on variety of technologies like P2P VPNs and userspace TCP/IP stacks, he joined the Cloudflare DDoS team in London to help filter all the...

Read more
Find Gilberto Bertin at:

Speaker

Gilberto Bertin
Gilberto Bertin

System Engineer @Cloudflare London

Location

Windsor, 5th flr.

Track

Operating Systems: LinuxKit, Unikernels, & Beyond

Topics

Operating SystemsNetworkingPerformanceInfrastructureLondonInterview Available

Share

Share Share

From the same track

SESSION + Live Q&A Interview Available

Unikraft - Unleashing the Power of Unikernels

Recently, several papers and projects dedicated to specialized OSes and unikernels have shown the immense potential for performance gains that these have. By leveraging specialization and the use of minimalistic OSes, unikernels are able to yield impressive numbers, including fast instantiation...

Felipe Huici

Chief Researcher in the Systems and Machine Learning Group at NEC Laboratories Europe

SESSION + Live Q&A Operating Systems

The Modern Operating System in 2018

The last monolith is the operating system. There are tens or hundreds of millions of lines of code in the kernel, and orders of magnitude more in the userspace code that gets shipped with it. Not just any code, security critical code written in unsafe languages. Every other area of software has...

Justin Cormack

Developer @Docker

SESSION + Live Q&A Operating Systems

Optimizing For Production Workloads

Breaking down the containers runtimes into their base functionality and then building them up into a series or core libraries and tools to specialize in core capabilities. Our goal is, rather then have one monolithic daemon to do all container management, to build up a series of tools that...

Daniel Walsh

Engineer @Redhat working on CRI-O Container Runtime

Samuel Ortiz

Principal Engineer @Intel Open Source Technology Center

SESSION + Live Q&A Operating Systems

Making the Windows Command-Line Great Again!

The command-line is an essential tool for many developers and administrators, on any machine and any operating system. Attend this session to learn how Microsoft has been overhauling the Windows command-line experience in Windows 10, making it easier than ever to run Windows tools alongside Linux...

Rich Turner

Senior Program Manager @Microsoft

Tara Raj

Program Manager @Microsoft

View full Schedule