Accelerating synproxy with XDP


Maxim Mikityanskiy


Nuts and Bolts

Session Type




Netfilter module synproxy allows to build a firewall that protects a server from TCP SYN flood attacks by generating and replying with SYN cookies before reaching conntrack and doing routing. It can be configured on a dedicated firewall machine that stays in front of the server.

Generating SYN cookies is stateless, and it's a perfect example of a task to be accelerated using XDP. Currently there are BPF helpers that allow to generate and check SYN cookies for a listening socket on the same machine. This talk describes adapting BPF for the synproxy use case, which includes adding new helpers to query conntrack information and generate and check SYN cookies without binding to a socket.