In a significant stride towards bolstering server resilience against distributed denial of service (DDoS) attacks, a set of patches has been merged into the Linux kernel version 6.18. These patches promise to enhance the efficiency of UDP receive performance under stress, marking a pivotal improvement for systems frequently targeted by such cyber threats.
The optimization is the brainchild of Eric Dumazet, a Google engineer renowned for his contributions to the Linux kernel. Dumazet meticulously analyzed the UDP stack and devised a patch series that has been incorporated into the networking changes for Linux 6.18. His work focuses on streamlining the receive side of the UDP stack, particularly in scenarios where one or several UDP sockets are under DDoS assault.
Dumazet’s patch series delivers a remarkable 47% increase in throughput during DDoS tests, utilizing IPv6 UDP packets with a 120-byte payload. The testing involved 16 CPUs receiving traffic aimed at a single socket. The series is structured as follows:
- The initial four patches are designed to reduce the size of the
struct ipv6_pinfoand reorganize its fields for a more efficient transmission path. This adjustment also benefits TCP by eliminating one cache line miss. - Patches five and six optimize the reading and updating of
sk->sk_rmem_alloc, thereby decreasing spinlock contention on the busylock. - Patches seven and eight improve data locality by altering the ordering of the backlog, receive queue, and drop counters.
- Patch nine eliminates the hashed array of spinlocks in favor of a single spinlock per UDP socket.
- The final patch implements
skb_attempt_defer_free(), a technique that has proven successful in TCP, allowing for more effective packet handling.
Dumazet highlighted the impact of the ninth patch in particular, which enables a Linux server to process an additional 14.2 million packets per second while under attack. This patch replaces the busylock with intermediate lockless queues, one for each NUMA node, reducing the contention among CPUs for the UDP receive queue lock.
Before the patch, a test on an Intel Xeon 6985P-C platform with 6 NUMA nodes showed the system processing 1,004,179 UDP packets with some errors. After the patch, the system demonstrated a substantial improvement, processing 1,116,633 UDP packets and effectively handling 14.2 million more packets per second during the attack, with the victim socket receiving 11% more packets.
These enhancements are particularly timely as Linux 6.18 is anticipated to become the Long Term Support (LTS) kernel version later this year. This designation means the kernel will receive extended maintenance and updates, making it a popular choice for enterprise and server deployments. The improved DDoS mitigation capabilities will undoubtedly provide a robust defense mechanism, offering peace of mind to system administrators tasked with safeguarding their networks against increasingly sophisticated cyber threats.
The merging of these patches into Linux 6.18 signifies a major leap forward in network security and performance, promising to set a new standard for server reliability in the face of DDoS attacks. As organizations continue to grapple with the challenges of maintaining service availability, such advancements in the open-source Linux kernel are welcomed with open arms by the tech community.
Source: Phoronix
