How to drop 10 million packets per second
The text discusses various techniques used by the author's team to mitigate Distributed Denial of Service (DDoS) attacks, focusing on packet discarding methods. It presents a series of tests performed on an Intel server with a 10Gbps network card, using synthetic traffic to stress test each method. The performance results for each technique are presented in the form of charts and tables. The techniques discussed include: 1. Dropping packets in application code. 2. Disabling Conntrack to speed up packet processing. 3. Using BPF (Berkeley Packet Filter) drop on a socket. 4. Dropping packets with iptables after routing. 5. Dropping packets with iptables in PREROUTING. 6. Nftables DROP before CONNTRACK. 7. tc ingress handler DROP. 8. XDP_DROP (eXpress Data Path). The text also provides a comparison of the performance results for each technique, highlighting that XDP_DROP is the fastest method, capable of dropping 10 million packets per second on a single CPU. The author concludes by stating that their team uses a combination of these techniques to mitigate DDoS attacks effectively.
Company
Cloudflare
Date published
July 6, 2018
Author(s)
Marek Majkowski
Word count
2311
Language
English
Hacker News points
None found.