When regular expressions meet XDP


Ivan Koveshnikov
Sergey Nizovtsev


Nuts and Bolts

Session Type




A key to an effective way to mitigate DDoS attacks – is to know the protocol, that is going to be protected. Effective packet parsers allow to discard garbage traffic at high speeds. Understanding of protocol state machines allows to build stateful filters that can spot and block malicious activity. However, such an approach requires a lot of programming work, especially if the DDoS protection system must be able to quickly adopt new protocols.

In such cases filtering by regular expressions helps to deliver coarse packet filtering by payload content. Extremely flexible, regular expressions allow to completely skip programming work and define packet filters by an end user.

Evaluation of regular expressions at network speeds is usually done in Deep Packet Inspection software, which is mostly a transparent appliance installed somewhere on the packet path. Being transparent DPI solutions doesn’t need a real network stack for packet processing, allowing to offload regular expressions to userspace network stack.

While building a rich filtering engine capable of working on the same servers that do provide services we came to the conclusion, that offloading of regular expressions to userspace is not as flexible as we need. In this article and talk we will show how regular expression filtering can be done in XDP context, what is a performance of the resulting solution, and how it affects other parts of network processing. We will also explain our motivations and the use for the community.