1. 28

  2. 1

    Neat post. Do you have any custom or unusual (eg Cavium) hardware needed for your DDOS mitigation activities? Or is it 100% vanilla boxes from Intel/AMD with Linux running software solutions like in the article?

    1. 13

      In our architecture every server is identical both in hardware and software. The more servers we add, the larger DDoS capacity we have. The servers are pretty standard. We do use Solarflare network cards, and occasionally offload parts of iptables into userspace. We are working on replacing this custom piece of software with NIC-vendor agnostic XDP.

      1. 1

        Wow. Impressive how far things have come in not relying on custom stuff. Thanks for the reply!

        1. 1

          lovely ! any particular reason of moving away from or not choosing dpdk for this ?

          1. 1

            DPDK is great, but it’s really meant to take over the whole NIC[1]. That puts a lot of constraints on what other functions each server can perform. Fortunately, the netdev guys are taking a lot of cues from DPDK and applying them to XDP and related kernel infrastructure. Comparable performance is coming to Linux sooner than you’d think!

            [1] bifurcating & SR-IOV aren’t applicable for this particular usecase