September 18, 2020 12:00PM
Raking the floods: my intern project using eBPF
SYN-cookies help mitigating SYN-floods for TCP, but how can we protect services from similar attacks that use UDP? We designed an algorithm and a library to fill this gap, and it’s open source!...
July 08, 2020 12:00PM
Sandboxing in Linux with zero lines of code
In this post we will review Linux seccomp and learn how to sandbox any (even a proprietary) application without writing a single line of code....
April 06, 2020 12:00PM
Conntrack tales - one thousand and one flows
We were wondering - can we just enable Linux "conntrack"? How does it actually work? I volunteered to help the team understand the dark corners of the Linux's "conntrack" stateful firewall subsystem....
March 25, 2020 12:00PM
Speeding up Linux disk encryption
Encrypting data at rest is vital for Cloudflare with more than 200 data centres across the world. In this post, we will investigate the performance of disk encryption on Linux and explain how we made it at least two times faster for ourselves and our customers!...
March 19, 2020 12:57PM
Keepalives considered harmful
You’d think keepalives would always be helpful, but turns out reality isn’t always what you expect it to be. It really helps if you read Why does one NGINX worker take all the load? first....