Abusing Linux's firewall: the hack that allowed us to build Spectrum
Cloudflare has introduced Spectrum, a new feature that brings DDoS protection, load balancing, and content acceleration to any TCP-based protocol. The development of Spectrum faced technical challenges due to Linux's limitations in accepting connections on any valid TCP port from 1 to 65535. To overcome these issues, Cloudflare employed the "AnyIP" trick, which allows assigning whole IP prefixes (subnets) to the loopback interface, and utilized TPROXY iptables module for socket dispatch. These solutions enabled Spectrum to operate smoothly on the vanilla kernel without requiring any custom kernel patches.
Company
Cloudflare
Date published
April 12, 2018
Author(s)
Marek Majkowski
Word count
1623
Language
English
Hacker News points
15