Use-case: DDoS

DDoS protection was the primary use-case XDP was born out of. CloudFlare presented their DDoS use-case at the Network Performance BoF at NetDev 1.1, which convinced many Kernel developers that this was something that needed to be solved.

End-host protection

When a server is under DoS (Denial-of-Service) attack, the attacker is trying to use as many resource on the server as possible, in order to not leave processing time to service the legitimate users.

Owing to XDP running so early in the software stack, there is almost no processing cost associated with dropping a packet. This makes it a viable option to load a XDP program directly on the server, as filtering out bad/attacker traffic (this early) frees up processing resources.

As XDP is still part of the Linux network stack, packets that “pass” the XDP filter still have all features for further filtering that the kernel normally provides. It works in concert with the regular network stack, rather than trying to by-pass it.