Building a Lightning Fast Firewall with Java & eBPF (JavaZone 2024)

Transcript

1. Building a Lightning Fast Firewall in Java & eBPF Mohammed

   Aboullaite @laytoun Sr Backend Engineer, Spotify Java Champion Google Developer Expert Johannes Bechberger mostlynerdless.de OpenJDK Developer, SAP Creator of hello-ebpf

2. We have a simple web application

3. We have a simple web application DDoS Attack

4. The naïve way?

5. None

6. Drop packets in your application

7. Any Problems?

8. Sockets https://mostlynerdless.de/blog/2024/08/13/hello-ebpf-a-packet-logger-in-pure-java-using-tc-and-xdp-hooks-13/

9. Alternative: Use a Firewall

10. How to improve it?

11. https://blog.cloudflare.com/how-to-drop-10-million-packets/

12. Become a 10x Firewall

13. vs https://blog.cloudflare.com/how-to-drop-10-million-packets/

14. Sockets Allocations XDP

15. https://blog.cloudflare.com/how-to-drop-10-million-packets/ vs even faster with offloading

16. Option 1: Change Kernel Traditional ways Option 2: Kernel Module

17. Greg Kroah-Hartman “ https://www.kernel.org/doc/html/latest/process/stable-api-nonsense.html https://www.youtube.com/watch?v=agC5N9I6jRE You think you want a

    stable kernel interface, but you really do not, and you don’t even know it.

18. Option 1: Change Kernel Traditional ways Option 2: Kernel Module

19. Can we do better?

20. None

21. eBPF is a crazy technology, it’s like putting JavaScript into

    the Linux kernel Brendan Gregg “ https://www.youtube.com/watch?v=tDacjrSCeq4

22. https://www.facesofopensource.com/brendan-gregg/ eBPF is a crazy technology, it’s like putting JavaScript

    into the Linux kernel “ Brendan Gregg

23. eBPF is making the Linux Kernel programmable at native execution

    speed!

24. eBPF runtime

25. None
26. None

27. eBPF runtime Safety and Security Efficiency Continuous delivery Standard

28. How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/

29. How to share data? Any Problems?

30. How to share data? https://mostlynerdless.de/blog/2024/01/12/hello-ebpf-recording-data-in-basic-ebpf-maps-2/

31. eBPF Maps

32. eBPF Maps Map Types • (LRU) Hash Maps • Arrays

    • Ring Buffers • … https://mostlynerdless.de/blog/2024/03/12/hello-ebpf-ring-buffers-in-libbpf-6/

33. eBPF hooks https://ebpf.io/what-is-ebpf/

34. Tracing & Profiling

35. Observability and Monitoring https://coralogix.com/blog/what-ebpf-why-important-for-observability/

36. Security Control https://coralogix.com/blog/what-ebpf-why-important-for-observability/ https://ubuntu.com/wp-content/uploads/1e80/AppArmour.png

37. https://commons.wikimedia.org/wiki/File:CrowdStrike_BSOD_at_LGA.jpg

38. eBPF has bugs too (and kernel level access) https://nvd.nist.gov/vuln/

39. eBPF Ecosystem https://ebpf.io

40. https://github.com/parttimenerd/hello-ebpf eBPF Ecosystem

41. eBPF is a crazy technology, it’s like putting JavaScript into

    the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg

42. eBPF is a crazy technology, it’s like putting JavaScript into

    the Linux kernel https://www.youtube.com/watch?v=tDacjrSCeq4 “ Brendan Gregg

43. https://www.youtube.com/watch?v=X3AWV5lJ6RY

44. https://www.youtube.com/watch?v=X3AWV5lJ6RY user land

45. None

46. Work in Progress

47. Live Coding

48. Live Coding Having fun with eBPF

49. Firewall Demo

50. XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9

51. Sockets XDP

52. XDP https://mostlynerdless.de/blog/2024/04/22/hello-ebpf-xdp-based-packet-filter-9

53. The only way of disco- vering the limits of the

    possible is to venture a little way past them into the impossible. Clarke’s second law “ https://www.flickr.com/photos/itupictures/16636142906

54. Project Panama

55. None

56. And for the compiler nerds https://godbolt.org/z/9xoMzsc4b

57. Blog Posts A post every other week since January

58. A glimpse into the future Java as a first class

    language for eBPF

59. A glimpse into the future https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/ https://en.wikipedia.org/wiki/File:Pistachio_macro_whitebackground_NS.jpg Towards a Micro-Kernel

60. A glimpse into the future Kernel Fixes Reimagined https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/

61. A glimpse into the future Kernel Recipes 2023 - sched_ext:

    pluggable scheduling in the Linux kernel
62. None

63. Final thoughts!

64. Thank you Mohammed Aboullaite @laytoun [email protected] Thanks to Dylan Reimerink

    Resources Johannes Bechberger mostlynerdless.de @parttimen3rd @[email protected]