I am going to keep netfilter and wireless lists on for now unless I hear
more objections. We will be doing about one a day from now until about
the time of the conference.
The tech committee would like to announce a new accepted talk.
Huapeng Zhou, Doug Porter, Ryan Tierney and Nikita Shirokov
are going to give a talk on Droplet which is used at Facebook
to plug in DDoS countermeasures.
More details:
----
Droplet is a generic framework to implement bpf policers to drop
packets at the earliest stage in the networking stack, preferably at
line rate. It's born for anti-DDoS and is the preferred infrastructure
at Facebook to plug in DDoS countermeasures. This talk presents the
overall architecture of Droplet and discusses a few issues in
developing and rolling out the software.
At a high level, Droplet takes bpf policer code written in restricted C
syntax, compiles it at runtime and hooks it into the kernel. The
framework abstracts out interactions between user space and kernel
space so the end user only needs to write policer code. It could chain
bpf programs together so we get multiple active DDoS countermeasures at
the same time. The policer code is shipped as configuration, which
enables fast response time when under active attacks.
--------
cheers,
jamal