Introducing the p0f BPF compiler

In this blog post from August 2016, Gilberto Bertin discusses their love for BPF (BSD packet filter) bytecode and the utilities they use to generate BPF rules for production iptables. They also open source another component of bpftools: their p0f BPF compiler. The p0f tool is used to passively analyze and categorize arbitrary network traffic, extracting information about the operating system that sent a packet. The author explains how they use this on a daily basis at CloudFlare to categorize packets when they are a target of a SYN flood attack. They also describe the signature format used by p0f and how it can be used to distinguish different types of SYN packets, which helps in mitigating attacks. The author provides an example of how to compile p0f to BPF using their bpftools project and shares an example run where they block SYN packets generated by the hping3 tool. They conclude by encouraging others to work together on solving the DDoS problem for all, and inviting interested individuals to apply for open positions at CloudFlare's offices in London, San Francisco, Singapore, Champaign (IL), and Austin (TX).