eBPF/XDP ป้องกัน DDoS: รับมือ 100Mpps/Core - เร็วกว่า iptables 100x
eBPF/XDP ทำงานระดับ Network Driver ตัดสินใจทิ้งแพ็กเก็ต 50Mpps/core ลด CPU 90% ป้องกัน DDoS UDP Flood, Amplification, SYN Flood
eBPF vs iptables Performance
| Technology | Position | Max PPS/Core | CPU Usage |
|---|---|---|---|
| XDP/eBPF | Driver | 100M | 5% |
| nftables | Netfilter | 2M | 40% |
| iptables | Netfilter | 1M | 70% |
| Suricata | Userspace | 500K | 95% |
XDP Actions ครบ
XDP_DROP = ทิ้งทันที (เร็วสุด)
XDP_PASS = ส่งต่อ Kernel
XDP_TX = ส่งกลับต้นทาง
XDP_REDIRECT = ส่งไปอินเตอร์เฟซอื่น
XDP_ABORTED = Error case
DDoS Mitigation Examples
1. UDP Amplification Block
SEC("xdp")
int xdp_amp_protect(struct xdp_md *ctx) {
struct ethhdr *eth = (void *)ctx->data;
struct iphdr *ip = (void *)(eth + 1);
struct udphdr *udp = (void *)(ip + 1);
// Block DNS/NTP/SSDP/Memcached amp
__u16 sport = bpf_ntohs(udp->source);
if (sport == 53 || sport == 123 || sport == 1900 || sport == 11211)
return XDP_DROP;
return XDP_PASS;
}
2. SYN Flood Protection
#define MAX_SYN_PER_SEC 1000
struct {
__uint(type, BPF_MAP_TYPE_LRU_HASH);
__type(key, __u32); // src_ip
__type(value, __u64); // syn_count
} syn_map SEC(".maps");
SEC("xdp")
int xdp_syn_flood(struct xdp_md *ctx) {
struct tcphdr *tcp = parse_tcp(ctx);
if (!tcp || tcp->syn == 0) return XDP_PASS;
__u32 ip = parse_src_ip(ctx);
__u64 *count = bpf_map_lookup_elem(&syn_map, &ip);
__u64 now = bpf_ktime_get_ns() / 1000000000; // seconds
if (count && *count > MAX_SYN_PER_SEC)
return XDP_DROP;
bpf_map_update_elem(&syn_map, &ip, now, BPF_ANY);
return XDP_PASS;
}
3. Token Bucket Rate Limit
#define RATE 1000 // pkts/sec
#define BURST 2000
struct ip_bucket {
__u64 last_time;
__u32 tokens;
};
SEC("xdp")
int xdp_rate_limit(struct xdp_md *ctx) {
__u32 ip = parse_src_ip(ctx);
struct ip_bucket *bucket;
bucket = bpf_map_lookup_elem(&ip_rl_map, &ip);
__u64 now = bpf_ktime_get_ns();
if (bucket) {
__u64 delta = (now - bucket->last_time) / 1000000;
bucket->tokens = min(BURST, bucket->tokens + delta * RATE / 1000);
bucket->last_time = now;
if (bucket->tokens == 0) return XDP_DROP;
bucket->tokens--;
}
return XDP_PASS;
}
Setup Production XDP
# 1. Install eBPF tools
sudo apt install clang llvm libbpf-dev bpftool
# 2. Compile (native mode = fastest)
clang -O2 -target bpf -c ddos_protect.c -o ddos_protect.o
# 3. Load XDP (replace eth0)
sudo ip link set eth0 xdp obj ddos_protect.o sec xdp
# 4. Stats
bpftool prog list
bpftool map dump name syn_map
# 5. Unload
sudo ip link set eth0 xdp off
Real-world Performance
Hardware: Intel E810 XXV710 (25Gbps)
Attack: 80Mpps UDP Flood
XDP Drop: 78Mpps (97.5%)
CPU Usage: 8 cores @ 12%
Kernel Stack: 0 packets
Multi-Stage DDoS Pipeline
Stage 1: XDP → L2/L3 filter (99% drop)
Stage 2: TC eBPF → L4 rate limit
Stage 3: nftables → App-level
Fallback: Cloudflare Magic Transit
Production Checklist
✅ NIC driver supports XDP (ixgbe/af_xdp)
✅ Kernel 5.15+ with BTF enabled
✅ libbpf 1.0+
✅ Auto-reload on boot (systemd)
✅ Stats export (Prometheus)
✅ Fail-open (XDP_PASS default)
XDP vs Cloud DDoS
| Metric | XDP On-prem | Cloudflare |
|---|---|---|
| Latency | 10μs | 20-50ms |
| Cost | $0 | $0.10/GB |
| Volumetric | 100Gbps | Unlimited |
| App-layer | ❌ | ✅ |
Strategy: XDP = L3/L4, Cloud = L7