Fosstodon
NETDEV VIDEOS
Session
Tempesta xFW: open-source eBPF-based volumetric DDoS protection
Speakers
Alexander Krizhanovsky
Label
Nuts and Bolts
Session Type
Talk
Description
In this talk we present Tempesta xFW - an open source [1][2] eBPF-based solution for mitigating volumetric DDoS attacks.
Tempesta xFW targets different protection architectures: host-based protection, such as CDN edge or on-premises application delivery controller cases, where a host is a TCP connection endpoint; and router-based protection, such as an ISP, hosting, or IaaS provider cases, where a host routes IP packets to protected servers or networks. In the latter case, the host may not “see” normal clean traffic and may receive only traffic containing a DDoS attack. Also, the node may receive only client-to-server traffic, as in direct server return or some traffic scrubbing scenarios.
Moreover, there are always-on, redirection, and hybrid deployment scenarios, and modern “hit-and-run” DDoS attacks, such as Aisuru-Kimwolf, challenge the architectures.
In this talk we discuss:
-
DDoS protection architectures - surprisingly, most filtering logic is shared across them
-
What makes DDoS protection logic unique - which protection logic requires specific eBPF programming with extensive map usage and interaction with the kernel, and which can be implemented with traditional firewall rules
-
XDP and TC programs architecture for multi-NIC nodes
-
Multi-layer filtering architecture and simple protection logic: source port and address filtering, reputation and GeoIP filtering, IP, UDP and TCP anomalies, destination IP rate limiting as the last resort.
-
Different approaches to rate limiting: leaky buckets, sliding windows, probabilistic rate limiting, and issues with proper configuration
-
TCP authentication approach for ACK and RST flood protection
-
TCP SYN flood protection for host, router and scrubbing scenarios
-
DNS protection - from basic parsing to advanced techniques accelerating protected DNS servers
-
Prometheus monitoring and high-throughput per-CPU incident logging to ClickHouse with sampling under overload
-
Safe deployment with evaluation mode
-
Performance evaluation and challenges with current eBPF API limitations
References:
[1]. Tempesta xFW public repository; full open-source release scheduled for June 2026, https://github.com/tempesta-tech/xFW
[2]. Tempesta xFW wiki page, https://tempesta-tech.com/tempesta-escudo/knowledge-base/XFW/
Recent News
Bronze Sponsor, Common Net
[Tue, 16, Jun. 2026]
Bronze Sponsor, secunet
[Fri, 12, Jun. 2026]
Bronze Sponsor, Red Hat
[Fri, 12, Jun. 2026]
Bronze Sponsor, Mpiric
[Tue, 09, Jun. 2026]
Bronze Sponsor, Viasat
[Mon, 08, Jun. 2026]
Important Dates
| Closing of CFS | June 1st |
| Notification by | June 10th |
| Conference dates | July 13th-16th |