eBPF#

eBPF (extended Berkeley Packet Filter) is a kernel virtual machine that runs sandboxed programs at predefined hook points (network, syscall, tracing, security). The verifier rejects programs that loop unboundedly or access invalid memory, so an eBPF program can run in kernel context without crashing it.

In the networking path, eBPF programs sit earlier than iptables / nftables. XDP runs in the NIC driver before skb allocation; tc (traffic control) runs at the qdisc layer. Both are used to drop DDoS traffic, load-balance, redirect, or encapsulate at line rate.

        flowchart LR
    subgraph Ingress["Ingress, packet → app"]
        direction LR
        N1[NIC<br/>driver] --> X(["<b>XDP</b><br/>eBPF"])
        X --> TI(["<b>tc-ingress</b><br/>eBPF"])
        TI --> NF1[netfilter<br/>conntrack · iptables]
        NF1 --> S1[socket layer]
        S1 --> A1[app<br/>userspace]
    end

    subgraph Egress["Egress, app → wire"]
        direction LR
        A2[app<br/>userspace] --> S2[socket layer]
        S2 --> NF2[netfilter]
        NF2 --> TE(["<b>tc-egress</b><br/>eBPF"])
        TE --> N2[NIC<br/>driver]
    end

    classDef ebpf fill:#1f6feb,stroke:#58a6ff,color:#ffffff
    classDef nf   fill:#6b3a1f,stroke:#a55a2a,color:#ffe9d6
    class X,TI,TE ebpf
    class NF1,NF2 nf
    

Hook points#

Hook

Use case

XDP

Earliest packet path; DDoS drop, L4 LB, fast forwarding.

tc (cls / act)

L2 / L3 classifier and policer; mirroring, QoS, redirect.

socket filter

Per-socket filtering (the original BPF use case).

sk_skb

Stream parser for SOCKMAP-based redirection.

cgroup

Per-cgroup ingress/egress policy, connect hooks.

sock_ops

TCP state-machine hooks (BBR tuning, accelerated proxy).

LSM

Kernel security hooks (bpf_lsm).

kprobe / uprobe

Observability into kernel and user functions.

tracepoint

Stable kernel tracepoints (net/*, tcp/*).

Tooling#

  • bpftool, inspect, load, attach, dump maps. Ships in the kernel source tree.

  • libbpf + CO-RE, the modern C library; programs portable across kernel versions.

  • BCC, Python / C++ framework with a large catalog of ready-made tools (tcpconnect, tcplife, tcpretrans, opensnoop).

  • bpftrace, high-level tracing language, awk-like for kernel events.

  • Cilium, Kubernetes CNI built on eBPF; replaces kube-proxy and iptables for service routing.

  • Calico, alternative CNI with an eBPF dataplane mode.

  • Katran, Meta’s XDP-based L4 load balancer.

  • Falco, runtime security on eBPF events.

Examples#

Inspect what’s already loaded:

$ sudo bpftool prog show
$ sudo bpftool prog show id 42 --pretty
$ sudo bpftool map show
$ sudo bpftool net show
$ sudo bpftool feature probe kernel

Attach an XDP program (drop UDP/53, demo):

$ sudo ip link set dev eth0 xdp obj /path/to/drop_dns.o sec xdp
$ sudo ip link show dev eth0
$ sudo ip link set dev eth0 xdp off

Attach a tc filter to mirror traffic:

$ sudo tc qdisc add dev eth0 clsact
$ sudo tc filter add dev eth0 ingress bpf obj /path/to/mirror.o sec ingress
$ sudo tc filter show dev eth0 ingress

One-liners with bpftrace:

$ sudo bpftrace -e 'tracepoint:tcp:tcp_send_reset { printf("RST %s -> %s\n", ntop(args->saddr), ntop(args->daddr)); }'
$ sudo bpftrace -e 'kprobe:tcp_connect { @[comm] = count(); }'
$ sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm, str(args->filename)); }'

BCC ready-made tools (Debian: apt install bpfcc-tools):

$ sudo tcpconnect-bpfcc
$ sudo tcplife-bpfcc
$ sudo tcpretrans-bpfcc
$ sudo opensnoop-bpfcc -p $(pgrep -f nginx)

Detection (defender’s view)#

eBPF is dual-use. Adversaries hide processes, files, and network connections by hooking syscalls and overwriting return data.

  • Audit CAP_BPF / CAP_SYS_ADMIN grants and BPF() syscall invocations (auditd rule on syscall 321).

  • bpftool prog show and bpftool map show enumerate loaded programs and maps; diff against a known-good baseline.

  • /sys/fs/bpf/ pinned objects.

  • Lock down with kernel.unprivileged_bpf_disabled=1.

See detection for the broader EDR picture.

References#