3 minutes
Oubliette
DDoS attacks are a massive pain for anyone trying to keep a service online, especially TCP SYN Floods with spoofed source IPs. Because some ISPs still do not implement BCP38 correctly, attackers can easily spoof source IPs with zero consequences, flooding targets until they fall over.
To combat this without dropping a fortune on proprietary scrubbing hardware, I built Oubliette — a high-performance, linerate DDoS scrubber that runs on semi-commodity hardware. By hooking directly into the NIC’s driver using eBPF and XDP (eXpress Data Path), it filters out malicious traffic before it can even touch the Linux kernel network stack.
sequenceDiagram
participant C as Client / Attacker
participant O as oubliette
C->>O: SYN
Note over O: eBPF/XDP Hook
O-->>C: Erroneous SYN-ACK
Note over C: Spoofed IP goes to void.<br/>Real IP replies with RST.
How the validation works
oubliette relies on a very specific, beautiful quirk of the TCP handshake to validate client legitimacy:
- The Challenge: When
oubliettedetects an incoming SYN from an un-whitelisted IP, it intercepts the packet at the XDP layer and immediately crafts an erroneous SYN-ACK with a completely wrong ACK number. - The Spoofed Case: If the source IP was spoofed, that wrong SYN-ACK is sent into the void. The attacker’s machine never replies, and the target backend server remains untouched.
- The Legitimate Case: If the client is legitimate, its native TCP stack receives the incorrect SYN-ACK and immediately responds with a TCP
RST(Reset) packet. - The Whitelist: The moment
oublietteintercepts that matchingRSTpacket, it validates the client and adds its IP address to the whitelist. The client transparently retries the connection a second later and sails right through to the backend.
Scalable multi-path architecture
In distributed multi-path environments (e.g., using WECMP/UCMP groups), stateful filtering is usually a nightmare. oubliette solves this cleanly:
flowchart LR
C((Client)) -- Ingress --> E[Edge Router]
E --> O{oubliette}
O --> D[Distribution Router]
D --> S[Server]
S -- Return Traffic --> D
D -- Bypasses Scrubber --> E
E --> C
Because ECMP hashes individual flows, it guarantees that the client’s RST response will land on the exact same scrubber node that generated the challenge. Once validated, the whitelisted IP is synchronized across the cluster through a Redis cache backend, and asymmetric routing allows return traffic to bypass the scrubbers completely.
Performance results
Early lab experiments running on commodity servers with SolarFlare NICs have yielded staggering results:
- 99.99% linerate scrubbing when facing high-volume mixed attack traffic.
- Microsecond-level latency overhead for subsequent connections (with a one-time ~1 second latency penalty on the very first handshake challenge).
- Fully optimized non-privileged deployment profiles.
The project is fully open source and scheduled for public launch in late Q2!
Related Content:
- Rebuilding the Looking Glass: Stateless, High-Performance Network Diagnostics at Scale May 23
- Zero Trust in GKE: Envoy, OPA, and Workload Identity May 6
- Oubliette: Clarifying the Protection Bounds and UDP Reflection May 2
- Oubliette Progress: End-to-End Lab Results May 1
- Exploiting TCP Handshake Quirks for IP Verification Apr 18