Session

Tempesta xFW: open-source eBPF-based volumetric DDoS protection

Speakers

Alexander Krizhanovsky

Label

Nuts and Bolts

Session Type

Talk

Description

In this talk we present Tempesta xFW - an open source [1][2] eBPF-based solution for mitigating volumetric DDoS attacks.

Tempesta xFW targets different protection architectures: host-based protection, such as CDN edge or on-premises application delivery controller cases, where a host is a TCP connection endpoint; and router-based protection, such as an ISP, hosting, or IaaS provider cases, where a host routes IP packets to protected servers or networks. In the latter case, the host may not “see” normal clean traffic and may receive only traffic containing a DDoS attack. Also, the node may receive only client-to-server traffic, as in direct server return or some traffic scrubbing scenarios.

Moreover, there are always-on, redirection, and hybrid deployment scenarios, and modern “hit-and-run” DDoS attacks, such as Aisuru-Kimwolf, challenge the architectures.

In this talk we discuss:

  1. DDoS protection architectures - surprisingly, most filtering logic is shared across them

  2. What makes DDoS protection logic unique - which protection logic requires specific eBPF programming with extensive map usage and interaction with the kernel, and which can be implemented with traditional firewall rules

  3. XDP and TC programs architecture for multi-NIC nodes

  4. Multi-layer filtering architecture and simple protection logic: source port and address filtering, reputation and GeoIP filtering, IP, UDP and TCP anomalies, destination IP rate limiting as the last resort.

  5. Different approaches to rate limiting: leaky buckets, sliding windows, probabilistic rate limiting, and issues with proper configuration

  6. TCP authentication approach for ACK and RST flood protection

  7. TCP SYN flood protection for host, router and scrubbing scenarios

  8. DNS protection - from basic parsing to advanced techniques accelerating protected DNS servers

  9. Prometheus monitoring and high-throughput per-CPU incident logging to ClickHouse with sampling under overload

  10. Safe deployment with evaluation mode

  11. Performance evaluation and challenges with current eBPF API limitations

References:

[1]. Tempesta xFW public repository; full open-source release scheduled for June 2026, https://github.com/tempesta-tech/xFW

[2]. Tempesta xFW wiki page, https://tempesta-tech.com/tempesta-escudo/knowledge-base/XFW/