Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building a Lightning Fast Firewall with Java & ...
Search
Johannes Bechberger
September 02, 2024
0
21
Building a Lightning Fast Firewall with Java & eBPF (JavaZone 2024)
Johannes Bechberger
September 02, 2024
Tweet
Share
More Decks by Johannes Bechberger
See All by Johannes Bechberger
Writing a Linux scheduler in Java with eBPF
parttimenerd
0
11
Instrument to remove (JavaForum Stuttgart 2024)
parttimenerd
0
17
Python 3.12's new monitoring and debugging API (PyConDE 2024)
parttimenerd
0
36
Instrument to remove (VoxxedDays Zürich 2024)
parttimenerd
0
20
Let’s create a Python Debugger together (PyConLt 2024)
parttimenerd
0
30
Python 3.12's new monitoring and debugging API
parttimenerd
0
84
Inner Workings of Safepoints
parttimenerd
0
58
Do you trust profilers? I once did too
parttimenerd
0
52
DIY Python Debugger
parttimenerd
0
5k
Featured
See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
Happy Clients
brianwarren
97
6.7k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Faster Mobile Websites
deanohume
304
30k
Code Review Best Practice
trishagee
64
17k
How STYLIGHT went responsive
nonsquared
95
5.2k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
505
140k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Ruby is Unlike a Banana
tanoku
96
11k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
Transcript
Building a Lightning Fast Firewall in Java & eBPF Mohammed
Aboullaite @laytoun Sr Backend Engineer, Spotify Java Champion Google Developer Expert Johannes Bechberger mostlynerdless.de OpenJDK Developer, SAP Creator of hello-ebpf
We have a simple web application
We have a simple web application DDoS Attack
The naïve way?
None
Drop packets in your application
Any Problems?
Sockets https://mostlynerdless.de/blog/2024/08/13/hello-ebpf-a-packet-logger-in-pure-java-using-tc-and-xdp-hooks-13/
Alternative: Use a Firewall
How to improve it?
https://blog.cloudflare.com/how-to-drop-10-million-packets/
Become a 10x Firewall
vs https://blog.cloudflare.com/how-to-drop-10-million-packets/
Sockets Allocations XDP
https://blog.cloudflare.com/how-to-drop-10-million-packets/ vs even faster with offloading
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Greg Kroah-Hartman “ https://www.kernel.org/doc/html/latest/process/stable-api-nonsense.html https://www.youtube.com/watch?v=agC5N9I6jRE You think you want a
stable kernel interface, but you really do not, and you don’t even know it.
Option 1: Change Kernel Traditional ways Option 2: Kernel Module
Can we do better?
None
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel Brendan Gregg “ https://www.youtube.com/watch?v=tDacjrSCeq4
https://www.facesofopensource.com/brendan-gregg/ eBPF is a crazy technology, it’s like putting JavaScript
into the Linux kernel “ Brendan Gregg
eBPF is making the Linux Kernel programmable at native execution
speed!
eBPF runtime
None
None
eBPF runtime Safety and Security Efficiency Continuous delivery Standard
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
How to share data? Any Problems?
How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/
eBPF Maps
eBPF Maps Map Types • (LRU) Hash Maps • Arrays
• Ring Buffers • … https://mostlynerdless.de/blog/2024/03/12/hello-ebpf-ring-buffers-in-libbpf-6/
eBPF hooks https://ebpf.io/what-is-ebpf/
Tracing & Profiling
Observability and Monitoring https://coralogix.com/blog/what-ebpf-why-important-for-observability/
Security Control https://coralogix.com/blog/what-ebpf-why-important-for-observability/ https://ubuntu.com/wp-content/uploads/1e80/AppArmour.png
https://commons.wikimedia.org/wiki/File:CrowdStrike_BSOD_at_LGA.jpg
eBPF has bugs too (and kernel level access) https://nvd.nist.gov/vuln/
eBPF Ecosystem https://ebpf.io
https://github.com/parttimenerd/hello-ebpf eBPF Ecosystem
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
eBPF is a crazy technology, it’s like putting JavaScript into
the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg
https://www.youtube.com/watch?v=X3AWV5lJ6RY
https://www.youtube.com/watch?v=X3AWV5lJ6RY user land
None
Work in Progress
Live Coding
Live Coding Having fun with eBPF
Firewall Demo
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
Sockets XDP
XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9
The only way of disco- vering the limits of the
possible is to venture a little way past them into the impossible. Clarke’s second law “ https://www.flickr.com/photos/itupictures/16636142906
Project Panama
None
And for the compiler nerds https://godbolt.org/z/9xoMzsc4b
Blog Posts A post every other week since January
A glimpse into the future Java as a first class
language for eBPF
A glimpse into the future https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/ https://en.wikipedia.org/wiki/File:Pistachio_macro_whitebackground_NS.jpg Towards a Micro-Kernel
A glimpse into the future Kernel Fixes Reimagined https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/
A glimpse into the future Kernel Recipes 2023 - sched_ext:
pluggable scheduling in the Linux kernel
None
Final thoughts!
Thank you Mohammed Aboullaite @laytoun
[email protected]
Thanks to Dylan Reimerink
Resources Johannes Bechberger mostlynerdless.de @parttimen3rd @
[email protected]