Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building a Lightning Fast Firewall with Java & ...

Avatar for Johannes Bechberger Johannes Bechberger
September 02, 2024
0
310

Building a Lightning Fast Firewall with Java & eBPF (JavaZone 2024)

Avatar for Johannes Bechberger

Johannes Bechberger

September 02, 2024
Tweet

More Decks by Johannes Bechberger

See All by Johannes Bechberger
Who instruments the instrumenters?
Avatar for Johannes Bechberger parttimenerd
0
4
hello-ebpf: Writing eBPF programs directly in Java
Avatar for Johannes Bechberger parttimenerd
0
3
Writing a Minimal Scheduler with eBPF, sched_ext, and C
Avatar for Johannes Bechberger parttimenerd
0
21
Sound of Scheduling: Writing Linux Schedulers in Java with eBPF
Avatar for Johannes Bechberger parttimenerd
0
17
hello-ebpf: Writing eBPF programs directly in Java
Avatar for Johannes Bechberger parttimenerd
0
28
Writing a Linux scheduler in Java with eBPF
Avatar for Johannes Bechberger parttimenerd
0
61
Instrument to remove (JavaForum Stuttgart 2024)
Avatar for Johannes Bechberger parttimenerd
0
60
Python 3.12's new monitoring and debugging API (PyConDE 2024)
Avatar for Johannes Bechberger parttimenerd
0
68
Instrument to remove (VoxxedDays Zürich 2024)
Avatar for Johannes Bechberger parttimenerd
0
61

Featured

See All Featured
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
10
640
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.4k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.4k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
123
52k
KATA
Avatar for Megan Lloyd mclloyd
29
14k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
252
21k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
48
5.4k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
351
20k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
130
19k

Transcript

  1. Building a Lightning Fast Firewall in Java & eBPF Mohammed

    Aboullaite @laytoun Sr Backend Engineer, Spotify Java Champion Google Developer Expert Johannes Bechberger mostlynerdless.de OpenJDK Developer, SAP Creator of hello-ebpf

  2. We have a simple web application

  3. We have a simple web application DDoS Attack

  4. The naïve way?

  5. None

  6. Drop packets in your application

  7. Any Problems?

  8. Sockets https://mostlynerdless.de/blog/2024/08/13/hello-ebpf-a-packet-logger-in-pure-java-using-tc-and-xdp-hooks-13/

  9. Alternative: Use a Firewall

  10. How to improve it?

  11. https://blog.cloudflare.com/how-to-drop-10-million-packets/

  12. Become a 10x Firewall

  13. vs https://blog.cloudflare.com/how-to-drop-10-million-packets/

  14. Sockets Allocations XDP

  15. https://blog.cloudflare.com/how-to-drop-10-million-packets/ vs even faster with offloading

  16. Option 1: Change Kernel Traditional ways Option 2: Kernel Module

  17. Greg Kroah-Hartman “ https://www.kernel.org/doc/html/latest/process/stable-api-nonsense.html https://www.youtube.com/watch?v=agC5N9I6jRE You think you want a

    stable kernel interface, but you really do not, and you don’t even know it.

  18. Option 1: Change Kernel Traditional ways Option 2: Kernel Module

  19. Can we do better?

  20. None

  21. eBPF is a crazy technology, it’s like putting JavaScript into

    the Linux kernel Brendan Gregg “ https://www.youtube.com/watch?v=tDacjrSCeq4

  22. https://www.facesofopensource.com/brendan-gregg/ eBPF is a crazy technology, it’s like putting JavaScript

    into the Linux kernel “ Brendan Gregg

  23. eBPF is making the Linux Kernel programmable at native execution

    speed!

  24. eBPF runtime

  25. None
  26. None

  27. eBPF runtime Safety and Security Efficiency Continuous delivery Standard

  28. How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/

  29. How to share data? Any Problems?

  30. How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/

  31. eBPF Maps

  32. eBPF Maps Map Types • (LRU) Hash Maps • Arrays

    • Ring Buffers • … https://mostlynerdless.de/blog/2024/03/12/hello-ebpf-ring-buffers-in-libbpf-6/

  33. eBPF hooks https://ebpf.io/what-is-ebpf/

  34. Tracing & Profiling

  35. Observability and Monitoring https://coralogix.com/blog/what-ebpf-why-important-for-observability/

  36. Security Control https://coralogix.com/blog/what-ebpf-why-important-for-observability/ https://ubuntu.com/wp-content/uploads/1e80/AppArmour.png

  37. https://commons.wikimedia.org/wiki/File:CrowdStrike_BSOD_at_LGA.jpg

  38. eBPF has bugs too (and kernel level access) https://nvd.nist.gov/vuln/

  39. eBPF Ecosystem https://ebpf.io

  40. https://github.com/parttimenerd/hello-ebpf eBPF Ecosystem

  41. eBPF is a crazy technology, it’s like putting JavaScript into

    the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg

  42. eBPF is a crazy technology, it’s like putting JavaScript into

    the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg

  43. https://www.youtube.com/watch?v=X3AWV5lJ6RY

  44. https://www.youtube.com/watch?v=X3AWV5lJ6RY user land

  45. None

  46. Work in Progress

  47. Live Coding

  48. Live Coding Having fun with eBPF

  49. Firewall Demo

  50. XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9

  51. Sockets XDP

  52. XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9

  53. The only way of disco- vering the limits of the

    possible is to venture a little way past them into the impossible. Clarke’s second law “ https://www.flickr.com/photos/itupictures/16636142906

  54. Project Panama

  55. None

  56. And for the compiler nerds https://godbolt.org/z/9xoMzsc4b

  57. Blog Posts A post every other week since January

  58. A glimpse into the future Java as a first class

    language for eBPF

  59. A glimpse into the future https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/ https://en.wikipedia.org/wiki/File:Pistachio_macro_whitebackground_NS.jpg Towards a Micro-Kernel

  60. A glimpse into the future Kernel Fixes Reimagined https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/

  61. A glimpse into the future Kernel Recipes 2023 - sched_ext:

    pluggable scheduling in the Linux kernel
  62. None

  63. Final thoughts!

  64. Thank you Mohammed Aboullaite @laytoun [email protected] Thanks to Dylan Reimerink

    Resources Johannes Bechberger mostlynerdless.de @parttimen3rd @[email protected]