How to drop 10 million packets per second

The text discusses various techniques used by the author's team to mitigate Distributed Denial of Service (DDoS) attacks, focusing on packet discarding methods. It presents a series of tests performed on an Intel server with a 10Gbps network card, using synthetic traffic to stress test each method. The performance results for each technique are presented in the form of charts and tables. The techniques discussed include: 1. Dropping packets in application code. 2. Disabling Conntrack to speed up packet processing. 3. Using BPF (Berkeley Packet Filter) drop on a socket. 4. Dropping packets with iptables after routing. 5. Dropping packets with iptables in PREROUTING. 6. Nftables DROP before CONNTRACK. 7. tc ingress handler DROP. 8. XDP_DROP (eXpress Data Path). The text also provides a comparison of the performance results for each technique, highlighting that XDP_DROP is the fastest method, capable of dropping 10 million packets per second on a single CPU. The author concludes by stating that their team uses a combination of these techniques to mitigate DDoS attacks effectively.