Session

Accelerating synproxy with XDP

Speakers

Maxim Mikityanskiy

Label

Nuts and Bolts

Session Type

Talk

Contents

Description

Netfilter module synproxy allows to build a firewall that protects a server from TCP SYN flood attacks by generating and replying with SYN cookies before reaching conntrack and doing routing. It can be configured on a dedicated firewall machine that stays in front of the server.

Generating SYN cookies is stateless, and it's a perfect example of a task to be accelerated using XDP. Currently there are BPF helpers that allow to generate and check SYN cookies for a listening socket on the same machine. This talk describes adapting BPF for the synproxy use case, which includes adding new helpers to query conntrack information and generate and check SYN cookies without binding to a socket.