/plushcap/analysis/cloudflare/how-we-built-spectrum

Abusing Linux's firewall: the hack that allowed us to build Spectrum

What's this blog post about?

Cloudflare has introduced Spectrum, a new feature that brings DDoS protection, load balancing, and content acceleration to any TCP-based protocol. The development of Spectrum faced technical challenges due to Linux's limitations in accepting connections on any valid TCP port from 1 to 65535. To overcome these issues, Cloudflare employed the "AnyIP" trick, which allows assigning whole IP prefixes (subnets) to the loopback interface, and utilized TPROXY iptables module for socket dispatch. These solutions enabled Spectrum to operate smoothly on the vanilla kernel without requiring any custom kernel patches.

Company
Cloudflare

Date published
April 12, 2018

Author(s)
Marek Majkowski

Word count
1623

Language
English

Hacker News points
15


By Matt Makai. 2021-2024.