24-28 August 2020
US/Pacific timezone

Multidimensional fair-share rate limiting in BPF

25 Aug 2020, 09:00
45m
Networking and BPF Summit/Virtual-Room (LPC 2020)

Networking and BPF Summit/Virtual-Room

LPC 2020

150
Networking & BPF Summit Networking and BPF Summit

Speakers

Jonas Otten (Cloudflare) Lorenz Bauer (Cloudflare)

Description

As UDP does not have flood attack protections such as SYN cookies, we developed a novel fair-share ratelimiter in unprivileged BPF, designed for a UDP reverse proxy, that is capable of applying rate limits to specific traffic streams while minimizing the impact on others. To achieve this, we base our work on Hierarchical Heavy Hitters, which proposes a method to group packets on source and destination IP address, and we are able to substantially simplify the algorithm for our rate-limiting use case in order to allow for an implementation in BPF.
We further extend the concept of a hierarchy from IPs addresses to ports, providing us with precise rate limits based on the 4-tuple.

Our approach is capable of rate limiting floods originating from single addresses, subnets but also reflection attacks, and applies limits as specific as possible. To verify it’s performance we evaluated the approach against different simulated scenarios.
The outcome of this project is a single library that can be activated on any UDP socket and provides a flood protection out of the box.

I agree to abide by the anti-harassment policy I agree

Primary author

Jonas Otten (Cloudflare)

Co-author

Lorenz Bauer (Cloudflare)

Presentation Materials