L4Drop: XDP DDoS Mitigations

Cloudflare has introduced a new tool called L4Drop for efficient packet dropping as part of its distributed denial of service (DDoS) attack mitigations. The company's existing DDoS mitigation pipeline includes Gatebot, bpftools, iptables, and Floodgate. However, with the introduction of new Gen9 and ARM servers using different network interface cards (NIC), Floodgate is no longer compatible as it relies on a proprietary Solarflare technology to redirect traffic directly to userspace. To address this issue, eXpress Data Path (XDP) has been added to Linux, which uses an extended version of the classic BPF instruction set called eBPF. This enables high-speed packet dropping and allows arbitrary code to run for each packet received by a network card driver. L4Drop is based on XDP and has been implemented across all Cloudflare servers, protecting them against DDoS attacks. The company plans to continue improving its pipeline by supporting more simultaneous rules in L4Drop through multiple chained eBPF programs, increasing the efficiency of generated programs, and supporting new eBPF features.