eBPF#
eBPF (extended Berkeley Packet Filter) is a kernel virtual machine that runs sandboxed programs at predefined hook points (network, syscall, tracing, security). The verifier rejects programs that loop unboundedly or access invalid memory, so an eBPF program can run in kernel context without crashing it.
In the networking path, eBPF programs sit earlier than iptables /
nftables. XDP runs in the NIC driver before skb allocation;
tc (traffic control) runs at the qdisc layer. Both are used to drop
DDoS traffic, load-balance, redirect, or encapsulate at line rate.
flowchart LR
subgraph Ingress["Ingress, packet → app"]
direction LR
N1[NIC<br/>driver] --> X(["<b>XDP</b><br/>eBPF"])
X --> TI(["<b>tc-ingress</b><br/>eBPF"])
TI --> NF1[netfilter<br/>conntrack · iptables]
NF1 --> S1[socket layer]
S1 --> A1[app<br/>userspace]
end
subgraph Egress["Egress, app → wire"]
direction LR
A2[app<br/>userspace] --> S2[socket layer]
S2 --> NF2[netfilter]
NF2 --> TE(["<b>tc-egress</b><br/>eBPF"])
TE --> N2[NIC<br/>driver]
end
classDef ebpf fill:#1f6feb,stroke:#58a6ff,color:#ffffff
classDef nf fill:#6b3a1f,stroke:#a55a2a,color:#ffe9d6
class X,TI,TE ebpf
class NF1,NF2 nf
Hook points#
Hook |
Use case |
|---|---|
XDP |
Earliest packet path; DDoS drop, L4 LB, fast forwarding. |
tc (cls / act) |
L2 / L3 classifier and policer; mirroring, QoS, redirect. |
socket filter |
Per-socket filtering (the original BPF use case). |
sk_skb |
Stream parser for SOCKMAP-based redirection. |
cgroup |
Per-cgroup ingress/egress policy, |
sock_ops |
TCP state-machine hooks (BBR tuning, accelerated proxy). |
LSM |
Kernel security hooks ( |
kprobe / uprobe |
Observability into kernel and user functions. |
tracepoint |
Stable kernel tracepoints ( |
Tooling#
bpftool, inspect, load, attach, dump maps. Ships in the kernel source tree.libbpf+CO-RE, the modern C library; programs portable across kernel versions.BCC, Python / C++ framework with a large catalog of ready-made tools (
tcpconnect,tcplife,tcpretrans,opensnoop).bpftrace, high-level tracing language,
awk-like for kernel events.Cilium, Kubernetes CNI built on eBPF; replaces
kube-proxyandiptablesfor service routing.Calico, alternative CNI with an eBPF dataplane mode.
Katran, Meta’s XDP-based L4 load balancer.
Falco, runtime security on eBPF events.
Examples#
Inspect what’s already loaded:
$ sudo bpftool prog show
$ sudo bpftool prog show id 42 --pretty
$ sudo bpftool map show
$ sudo bpftool net show
$ sudo bpftool feature probe kernel
Attach an XDP program (drop UDP/53, demo):
$ sudo ip link set dev eth0 xdp obj /path/to/drop_dns.o sec xdp
$ sudo ip link show dev eth0
$ sudo ip link set dev eth0 xdp off
Attach a tc filter to mirror traffic:
$ sudo tc qdisc add dev eth0 clsact
$ sudo tc filter add dev eth0 ingress bpf obj /path/to/mirror.o sec ingress
$ sudo tc filter show dev eth0 ingress
One-liners with bpftrace:
$ sudo bpftrace -e 'tracepoint:tcp:tcp_send_reset { printf("RST %s -> %s\n", ntop(args->saddr), ntop(args->daddr)); }'
$ sudo bpftrace -e 'kprobe:tcp_connect { @[comm] = count(); }'
$ sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm, str(args->filename)); }'
BCC ready-made tools (Debian: apt install bpfcc-tools):
$ sudo tcpconnect-bpfcc
$ sudo tcplife-bpfcc
$ sudo tcpretrans-bpfcc
$ sudo opensnoop-bpfcc -p $(pgrep -f nginx)
Detection (defender’s view)#
eBPF is dual-use. Adversaries hide processes, files, and network connections by hooking syscalls and overwriting return data.
Audit
CAP_BPF/CAP_SYS_ADMINgrants andBPF()syscall invocations (auditd rule on syscall321).bpftool prog showandbpftool map showenumerate loaded programs and maps; diff against a known-good baseline./sys/fs/bpf/pinned objects.Lock down with
kernel.unprivileged_bpf_disabled=1.
See detection for the broader EDR picture.
References#
ebpf.io, standard introduction and tool index.
detection, runtime monitoring on eBPF.