Engineer for the future of Cloud
June 10-13, 2019
San Jose, CA

DDoS mitigation made easy with XDP and eBPF

1:30pm5:00pm Tuesday, June 11, 2019
Building Secure Systems
Location: LL21 E/F



Prerequisite knowledge

  • Working knowledge of current generation packet filtering technologies (e.g., iptables)
  • General understanding of packet structures
  • General programming understanding (e.g., C/C++ or Golang)

Materials or downloads needed in advance

Important to do ahead of the conference

  • Please download this virtual machine image template and this zip file.
  • If you're concerned about security and want to know exactly what is in the virtual machine image, please follow the directions supplied in the zip file for generating your own.


Network and infrastructure operators are in a constant arms race with malicious actors. In order to stay ahead of the competition, operators must stay informed about what defensive technologies exist and how to leverage them. One such technology is express data protection (XDP) in combination with extended Berkeley Packet Filter (eBPF). This incredibly flexible framework is a formidable tool for managing unwanted network traffic. Christian Saide gives you the knowledge and skills you need to properly leverage XDP as a defense mechanism and protect your mission-critical services and infrastructure.


We’ll discuss the following key topic areas in depth:

  • What XDP is, how it operates, and the performance gains over legacy technologies
  • How to build and operate XDP programs for both generic and highly focused attack mitigation solutions
  • How to implement XDP programs that are fully dynamic and capable of adapting to the situation at hand

You’ll work through a set of labs where you’ll be walking through examples of how to build, run, and understand:

  • A simple traffic statistics probe to monitor total received packets/bytes
  • A dynamic firewall:
    • Starting with a simple layer 2 MAC address filter
    • Moving on to IPv4 and IPv6 address + prefix filters
    • Finally adding user datagram protocol (UDP) and transmission control protocol (TCP) port filtering
  • Advanced use cases:
    • Load shedding and honeypotting traffic flows
    • Sampling packet data for offline analysis
    • Handling a UDP-based DNS DDoS with a TC bit autoresponder

Every lab is fully annotated and offers complete solutions to all exercises for those looking to learn by seeing or to learn by doing. You’ll leave empowered with the knowledge of how you could use XDP to strengthen your defensive strategies against DDoS attacks.

Photo of Christian Saide

Christian Saide


Christian Saide is a DevOps engineer at NS1, where he has been a key player in automating, hardening, and scaling out its systems, particularly by pushing more and more of its infrastructure into container-based architectures and implementing solutions to the tough problems surrounding global distribution. He also served a critical role in NS1’s move to software-defined networking and authored the primary software-defined networking device and network topology. Christian has been working in the technology sector for five years, focusing on networking and distributed systems. Previously, he was at Industrial Color Software, where he climbed from a midlevel software developer to director of development operations and was instrumental in taking the company’s aging infrastructure from a handful of bare-metal servers to multiple virtualization hosts running hundreds of virtual machines, which in turn supported hundreds of containers.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)