Engineer for the future of Cloud
June 10-13, 2019
San Jose, CA

DDoS mitigation made easy with XDP and eBPF

1:30pm5:00pm Tuesday, June 11, 2019
Building Secure Systems
Location: 230 A
Average rating: ****.
(4.50, 2 ratings)



Prerequisite knowledge

  • A working knowledge of current generation packet filtering technologies (e.g., iptables)
  • A general understanding of packet structures
  • Familiarity with programming (e.g., C/C++ or Golang)

Materials or downloads needed in advance

  • Download this virtual machine image template and this zip file (If you're concerned about security and want to know exactly what is in the virtual machine image, please follow the directions supplied in the zip file to generate your own.)

What you'll learn

  • Learn what you need to leverage XDP as a defense mechanism and protect your mission-critical services and infrastructure


Network and infrastructure operators are in a constant arms race with malicious actors. In order to stay ahead of the competition, operators must stay informed about what defensive technologies exist and how to leverage them. One such technology is express data protection (XDP) in combination with extended Berkeley Packet Filter (eBPF). This incredibly flexible framework is a formidable tool for managing unwanted network traffic. Christian Saide gives you the knowledge and skills you need to properly leverage XDP as a defense mechanism and protect your mission-critical services and infrastructure.


Christian discusses the following key topic areas in depth:

  • What XDP is, how it operates, and the performance gains over legacy technologies
  • How to build and operate XDP programs for both generic and highly focused attack mitigation solutions
  • How to implement XDP programs that are fully dynamic and capable of adapting to the situation at hand

You’ll work through a set of labs where you’ll be walking through examples of how to build, run, and understand:

  • A simple traffic statistics probe to monitor total received packets/bytes
  • A dynamic firewall:
    • Starting with a simple layer 2 MAC address filter
    • Moving on to IPv4 and IPv6 address and prefix filters
    • Finally adding user datagram protocol (UDP) and transmission control protocol (TCP) port filtering
  • Advanced use cases:
    • Load-shedding and honeypotting traffic flows
    • Sampling packet data for offline analysis
    • Handling a UDP-based DNS DDoS with a TC bit autoresponder

Every lab is fully annotated and offers complete solutions to all exercises for those looking to learn by seeing or to learn by doing. You’ll leave empowered with the knowledge of how you could use XDP to strengthen your defensive strategies against DDoS attacks.

Photo of Christian Saide

Christian Saide


Christian Saide is a DevOps engineer at NS1, where he has been a key player in automating, hardening, and scaling out its systems, particularly by pushing more and more of its infrastructure into container-based architectures and implementing solutions to the tough problems surrounding global distribution. He also served a critical role in NS1’s move to software-defined networking and authored the primary software-defined networking device and network topology. Christian has been working in the technology sector for five years, focusing on networking and distributed systems. Previously, he was at Industrial Color Software, where he climbed from a midlevel software developer to director of development operations and was instrumental in taking the company’s aging infrastructure from a handful of bare-metal servers to multiple virtualization hosts running hundreds of virtual machines, which in turn supported hundreds of containers.