XDP: DDoS filter use-case

Jesper Dangaard Brouer

I also want a XDP/eBPF hook placed at TX DMA completion time, or when
the page is recycled back to the page-pool.

This will allow innovating more advanced DDoS filter solutions, as
this creates a feedback loop. (Simply establised by a shared BPF map,
between XDP-RX-hook and XDP-TX-done-hook).

Partigular I imagine one could implement AQM queue called BLUE[1], and
the SFB (Stochastic Fair BLUE), to effeciently identify and rate-limit
non-responsive flows. Keeping the RX-HW-hash until TX completion
would allow this to be implemented without touching the packet-data.

Another interesting meta-data information is: whether the HW RX or TX
queue is overflowing (as e.g. BLUE is triggered by packet loss due to
queue overruns).

The page-pool will likely contain a OOM (Out-of-Memory) protection
feature, which limit the amount of outstanding pages allowed. It
might still be valid to call the XDP filter, as it would allow the
eBPF program mitigate the overload situation. Thus, some indication
of this state need to be communicated to the eBPF program.

BLUE paper[1] http://www.eecs.umich.edu/techreports/cse/99/CSE-TR-387-99.pdf
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer