New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Any ebpf and xdp developers out there?
interservermike
Member, Patron Provider
in General
I would like to experiment with custom built in house ddos protection. But the pool of developers with experience seems to be limited. Anyone available? Any suggestions?
Thanks.
Comments
Mike,
You're not the only one looking for these type of developers. They are scarce, at least when I was looking into this.
Alex
Happy to help, I shot you a message.
Especially for ddos mitigation, Not everyone who knows XDP knows how to effectively create solutions for anti-ddos, most XDP/eBPF devs i've met are only doing it for fast proxies, load balancing etc.
probably your best bet. Or I am willing to learn for big payment
Those devs cost a lot. Lexus of dev world.
How hard could it be? It's just a bit of C code.
What's your budget anyway?
No worthwhile application is easy to develop
Sometimes the core functionality is surprisingly simple, just making it user-friendly can be challenging.
You need crazy performance and its not just C code.
You seem to never have a fight with ebpf verifier
So, how many providers do we have here on LET who can and are willing to shell out 2000+ Euros per day?
Also, are we talking about the in-kernel code part only or about the user interface part only or about both?
Personal statement: as much as I dislike it (working on linux stuff) I sometimes just have to. Oh well, that's life. I'm also not a fan of putting an interpreter into a kernel nor of lavishly activating/using hooks, but I get it, people want ebpf just like they want bread with some butter when neither meat not eggs are available ... hence ebpf.
Finally a quick remark re "ebpf verifier" and that one's code has to pass it. Frankly, for a developer knowing about verification (and I mean real formal verification, not the toy stuff) passing the ebpf verifier is about as demanding as having to fight (not a baby but let's say) a 12-year old boy. So, let's not blow that "barrier" out of proportion.
In case you are a trustworthy provider (whom I don't dislike) feel free to PM me. Daily price would be (somewhat) north of what I mentioned above. Work would be done via a german company but only remotely, no travelling. Projects requiring more than 2 weeks would be likely to be somewhat cheaper. Providers outside of the EU would need to pay 50% front-up, of course refundable if the project wasn't ready and properly working roughly in time.
ebpf is good
We only wrote one eBPF program in so many years:
https://github.com/usnistgov/ndn-dpdk/blob/0be2411d08333ad5f74b81e63f599ed5f383190e/bpf/xdp/redir.c
This one does pass the kernel validator.
It filters incoming traffic, redirecting matching packets to XDP socket and passing the rest to kernel.
As long as you don't use maps and no dynamic rules/stateful processing is required ebpf programs are pretty easy
But I cannot imagine anyone sane developing DDoS protection filters for some game protocol in Haskell
Good luck, it‘s not easy to find someone with certain experience. I‘m doing DDoS-Protection since 2013, gaining experience is not a easy task
We do have maps, but it's one-way: the userspace writes the map and the eBPF program queries the map.
The map key is formed from packet headers, which could include Ethernet / IP / UDP / VXLAN / GTPv1U headers.
Both the userspace and the eBPF program forms the map key in the same way, thus achieving the acceptance filtering functionality.
Thank you for all the feedback so far.
I have it compiled on my dedicated server! it is useful to protect VPS but still some heavy attacks can slow you down, needs like 1~7sec to kick out huge TCP attacks! it is bit complicated at start!
or use on your core router BPFire project!