1. 1
    nickpsecurity avatar nickpsecurity 1 month ago | link | on: How to drop 10 million packets per second

    Neat post. Do you have any custom or unusual (eg Cavium) hardware needed for your DDOS mitigation activities? Or is it 100% vanilla boxes from Intel/AMD with Linux running software solutions like in the article?

    1. 13
      majke avatar majke 1 month ago | link

      In our architecture every server is identical both in hardware and software. The more servers we add, the larger DDoS capacity we have. The servers are pretty standard. We do use Solarflare network cards, and occasionally offload parts of iptables into userspace. We are working on replacing this custom piece of software with NIC-vendor agnostic XDP.

      1. 1
        nickpsecurity avatar nickpsecurity 1 month ago | link

        Wow. Impressive how far things have come in not relying on custom stuff. Thanks for the reply!

        1. 1
          signal-11 avatar signal-11 edited 1 month ago | link

          lovely ! any particular reason of moving away from or not choosing dpdk for this ?

          1. 1
            alexforster avatar alexforster 1 month ago | link

            DPDK is great, but it’s really meant to take over the whole NIC[1]. That puts a lot of constraints on what other functions each server can perform. Fortunately, the netdev guys are taking a lot of cues from DPDK and applying them to XDP and related kernel infrastructure. Comparable performance is coming to Linux sooner than you’d think!

            [1] bifurcating & SR-IOV aren’t applicable for this particular usecase

      1. 5
        majke avatar majke 5 months ago | link | on: eBPF, Sockets, Hop Distance and manually writing eBPF assembly

        Author here. This was a fun bit. I don’t think many people write eBPF bytecode manually. The need to large clang/bcc dependencies is usually discouraging from using eBPF for smaller things, which is a pity.

        1. 2
          peter avatar peter 5 months ago | link

          Probably, people tend to assume going low level makes things more complicated.

          Thanks for the post! I have wanted to learn about ebpf bytecode for a while, and this was a great intro. I’m curious, you could have easily compiled the bpf code offline, pasted the resulting bytecode into your Go program, and parametrized it with the map descriptor at runtime. Is there a reason you chose not to do so?

          1. 3
            majke avatar majke 4 months ago | link

            I’m frankly not sure. Most of the eBPF examples out there compile .c into an ELF. The resulting ELF has the bytecode and map metadata (what maps, what parameters). The resulting ELF can be loaded with some magical userspace helper .

            This for example: https://github.com/nathanjsweet/ebpf/blob/master/examples/sockex1-user.go#L46

            I don’t think I saw .c -> ELF -> bytecode workflow yet. I was told new objdump is able to read/dump the magical BPF ELF’s though, so maybe it’s simple.