X-Defender is an advanced DDoS mitigation tool built with eBPF and XDP. It not only filters and limits malicious traffic in real-time but also takes a proactive and aggressive approach to neutralize threats before they impact your network. Leveraging the power of XDP, X-Defender operates at the lowest level of the Linux networking stack, ensuring high performance and minimal latency while effectively countering even the most sophisticated DDoS attacks.
Caution
This project is still in very early stages of development. Use at your own risk. We are looking for contributors to help improve and expand the project.
As shown in the Packet Flow in Packet flow in Netfilter and General Networking, XDP operates at the earliest point where packets are handled by the network card. This allows X-Defender to intercept and process packets at this initial stage. By implementing DDoS mitigation at this level, you can protect your system efficiently and cost-effectively while minimizing the load on your system. mostly they use xdp for mitigation and for load balancing like in cloud flare or many other providers and even Meta.
Cloud providers employ various techniques to mitigate DDoS attacks, such as using Anycast networks, Traffic Scrubbing Centers, Geo-Blocking, Behavioral Analytics, Blackholing/Null Routing, and custom load balancers( like Katran by Facebook, GLB by GitHub,and Maglev by Google) These solutions often integrate multiple systems into a single program to provide comprehensive protection.
However, Our current focus is on DDoS mitigation using XDP, which is the most effective approach available. By leveraging XDP’s low-level packet processing capabilities, we can address DDoS attacks at the earliest stage of packet handling. X-Defender, by operating at this foundational level in the network stack, ensures efficient mitigation of DDoS attacks with minimal impact on system performance.
When we mention this, we really mean that. if you want to know more about the dropping performance at each layer, you should read this blog by @majek.
To learn how they deployed this tool in a distributed manner, you can read this article by @Gilberto.
X-Defender processes incoming packets at the network interface level using eBPF and XDP. When the rate limit is exceeded or an attack is detected, the tool drops or redirects the malicious packets.
- Packet Inspection: Detects malicious patterns and excessive traffic.
- Rate Limiting: Controls traffic flow based on thresholds and historical data.
- Real-Time Decision Making: Determines packet handling actions to ensure network integrity.
- Adaptive Feedback: Continuously updates rules and limits based on current traffic.
- Analytics and Reporting: Provides detailed traffic analysis and generates reports for ongoing defense optimization.
Note: I strive to ensure compatibility with recent Ubuntu versions for OSS builds. For build issues or support with older versions, please open a GitHub issue or submit a pull request.
In our view, the optimal use of this tool is on L4 load balancers or as the first point in your network stack. Deploying it at this level ensures that malicious traffic is dropped before it can impact any upstream services, providing an additional layer of security and performance.
Here are examples of X-Defender Usage and Integration's .
X-Defender is designed as an advanced DDoS mitigation tool that leverages the capabilities of eBPF and XDP to provide high-performance packet filtering and traffic management at the earliest point of packet processing, directly on the network interface. The primary intended use of X-Defender is to detect and mitigate malicious traffic patterns, such as those seen in DDoS attacks, in real-time, with minimal resource overhead.
- Cloud Service Providers: For integrating low-level packet filtering to safeguard virtual networks, virtual machines, and other cloud resources from DDoS attacks.
- Content Delivery Networks (CDNs): To defend against attacks aimed at disrupting their global content distribution capabilities.
- Internet Service Providers (ISPs): To protect infrastructure from large-scale DDoS attacks and ensure uninterrupted service for their customers.
- Large Enterprises: Especially those in sectors like finance, healthcare, and e-commerce, which are frequent targets of DDoS attacks and require real-time protection to maintain service availability.
- Managed Security Service Providers (MSSPs): To offer advanced DDoS protection services to their clients as part of a comprehensive security portfolio