How I Block All 26M of Your Curl Requests
13 hours ago
- #XDP
- #TLS-fingerprinting
- #eBPF
- The article discusses using XDP (Express Data Path) and eBPF (Extended Berkeley Packet Filter) to block unwanted network requests, particularly from bots.
- XDP allows for high-speed packet filtering directly on the network device, capable of handling up to 26 million packets per second on consumer hardware.
- eBPF is a tiny virtual machine in the kernel that enables running custom programs for packet filtering without modifying the kernel itself.
- The author explains how to parse network packets at the Data Link and Transport layers, including bounds checking to prevent out-of-bounds reads.
- TLS fingerprinting is introduced as a method to identify clients (like curl) based on their TLS handshake characteristics, using JA4 and a custom FST1 hash.
- A non-cryptographic hash (Jenkins hash) is used to fingerprint TLS cipher suites, optimizing for the limited stack space in eBPF.
- The implementation includes sorting cipher suites before hashing to avoid duplicates and using eBPF maps to store blocked hashes.
- The solution is designed to be fast and efficient, outperforming user-space implementations in preliminary benchmarks.
- The author acknowledges contributors and references, including FoxIO for TLS fingerprinting techniques and Bob Jenkins for the hash algorithm.