Kernel-Level Defense: How Radware Uses eBPF to Stop Volumetric Web DDoS Attacks

Web DDoS attacks have evolved into high-rate, Layer 7 floods generating tens of millions of legitimate-looking HTTP requests per second aiming to exhaust application resources and degrade its availability. These attacks are particularly challenging because they mimic normal user applicative behavior, making them extremely difficult to detect and mitigate using traditional methods.

Radware addresses this evolving threat with a layered mitigation strategy that combines:

• Advanced Layer 7 dynamic real-time signature-based mitigation
• Real-time blocking based on L3-L5 attributes: IP address, GEO IP, and TLS fingerprinting
• High-speed eBPF-based enforcement embedded in our proxy kernel for efficient, large-scale mitigation

This approach enables precise attack detection and mitigation at the application layer genuinely combined with efficient enforcement at the OS level. It delivers high scalability without introducing any operational overhead, all L3 to L7 mitigation activities are done automatically without any need for SOC/NOC teams’ involvement. This combined mitigation approach keeps the “Time To Mitigate” performance at the level of less than 10 seconds.

The Challenge: Volumetric Attacks at Layer 7

Unlike classic DDoS attacks that flood bandwidth or target transport protocols, Web DDoS floods use large volumes of seemingly valid HTTP requests to exhaust resources like CPU, memory, backend database capacity, and others.

Key Characteristics:

Distributed Across Thousands of Source IPs: Attackers use botnets to distribute the attack across many IP addresses and geographies, making it harder to block by simply blacklisting a few IPs or Territories. This distribution complicates mitigation, eliminates approaches of manual mitigation activities, and requires advanced detection and mitigation strategies.
High Request Rates with Low Payloads: In many cases, attackers use HTTP pipelining or rapid connection reuse to send a high volume of lightweight requests. While each request is inexpensive to send, collectively they overwhelm application threads, queues, or worker pools.
Mimic Legitimate Traffic: Attackers are using randomization such that their attack traffic resembles normal user behavior, with valid paths, headers, and user-agent strings. This makes signature-free, or manual, mitigation ultimately difficult without using behavioral and statistical analysis to automate mitigation.
Bypasses Traditional Defenses: Because these attacks operate at Layer 7, they evade L3 and L4 volumetric defenses and rate-limiters. Effective mitigation requires insight into application-layer behavior, not just traffic volume. Even exiting WAF L7 mechanisms, like JS based challenges, fail as attackers are able to bypass such JS based challenges by simply attacking paths within the application that do not support JS (like /API and similar).

How Radware Detects and Mitigates the Flood

Our Web DDoS mitigation engine analyzes incoming traffic Layer 7 patterns across multiple dimensions to accurately identify and classify malicious traffic. This multi-faceted approach ensures that we can detect and mitigate even the most sophisticated WEB DDoS attacks.

Traffic Analysis Dimensions: Multi-Dimensional Layer 7 Traffic Analysis

Accurate Web DDoS attack detection and mitigation require analyzing traffic at Layer 7. Attackers increasingly use a variety of Web DDoS tools designed to generate ultra-high RPS attack traffic while evading mitigation systems. These tools employ extensive randomization across Layer 7 dimensions, including cookies and query arguments, making attack traffic appear legitimate. A single tool can generate millions of distinct transactions.

In some cases, multiple hacker groups coordinate attacks across multiple botnets, each using different tools. The result is a sophisticated, large-scale attack that challenges conventional mitigation systems globally. Any attempt at manual, human-based mitigation against these attacks inevitably fails.

Radware’s Multi-Dimensional L7 Analysis Approach

Radware’s Web DDoS solution performs intensive, multi-dimensional Layer 7 traffic analysis across a wide range of L7 attributes. We strongly advocate that only this comprehensive, multi-aspect approach can deliver the accuracy required for effective Web DDoS detection and mitigation.

Radware’s solution establishes rigorous Layer 7 traffic baselines to:

• Detect abnormal surges in traffic while distinguishing legitimate flash crowds from attacks.
• Accurately characterize attacker transactions, separating malicious traffic from legitimate flows.

These baselines enable the system to dynamically generate real-time Layer 7 signatures that precisely mitigate attacks as they evolve. Because attackers frequently change tactics, Radware’s dynamic signature system continuously adapts in real time, ensuring effective mitigation even against attempts to evade detection. This comprehensive baselining and dynamic signature generation delivers “zero-minute” and often “zero-second” mitigation, making it an industry-leading solution.

While this would be an ideal place to showcase real-life attack examples and the L7 signatures generated, we have chosen not to provide advanced insights that could aid adversaries in bypassing our defenses.

Global Enforcement and Efficient Mitigation

During an active attack, real-time Layer 7 signatures are generated centrally in Radware’s cloud services and are propagated globally to our Points of Presence (PoPs) within seconds. At each PoP, Radware’s proxy enforces Layer 7 mitigation with high precision.

However, while L7 mitigation is highly accurate, it inherently carries operational costs due to its complexity. To address this, Radware has introduced combined mitigation capabilities: leveraging precise L7 intelligence to drive efficient Layer 3 enforcement using eBPF on our proxies in the PoP.

This “best of both worlds” approach leverages precise Layer 7 attacker profiling to enable efficient Layer 3 enforcement. Radware’s system utilizes common attributes across Layers 3 to 7 for enforcement, including:

• Attacker client IP addresses
• GEO locations correlated with attacker IPs
• TLS fingerprints

Using these dimensions, Radware’s Web DDoS system dynamically identifies and validates attacker sources at Layer 7, then blocks malicious traffic efficiently at Layer 3. This ensures legitimate client traffic remains unaffected. GEO-based blocking is further refined using peacetime traffic baselines, minimizing the risk of collateral impact during active mitigation.

Additionally, identifying and enforcing attacker TLS fingerprints enables precise packet-level blocking, enhancing mitigation efficiency without compromising legitimate user experience.

Blocking at Scale: From L7 Mitigation to Kernel-Level

Enforcement

Once a volumetric Web DDoS signature is confirmed, the next step is to block malicious traffic efficiently and cost-effectively at massive scale, without degrading performance for legitimate users. This is where our use of eBPF technology comes into play.

Dynamic List of Abusive Actors

Radware compiles a list of abusive sources in real time based on:

eBPF-Based Enforcement:

This architecture allows us to handle millions of malicious requests per second with precision and efficiency where it matters most.

Under the Hood: How Radware Uses eBPF for High-Speed Blocking

To give technically inclined readers a clearer view, here’s how Radware uses eBPF and XDP in our PoP proxies to enforce high-scale Web DDoS mitigation with minimal overhead.

Enforcement Pipeline

XDP Program Logic

At the NIC level, Radware’s XDP eBPF program efficiently enforces filtering by:

• Extracting IP and GEO Information:
  
• Looking Up Dynamic Block Maps:
  
• Applying Drop or Pass Decisions:
  

Why This Matters

By using eBPF on the proxy itself, we bring the enforcement:

Closer to the Attack: Enforcement happens at the earliest possible stage within the proxy's stack. By blocking traffic before it reaches user space, system resources, such as CPU, memory, and sockets are preserved for processing legitimate requests.
Deeper into the Stack, Maximizing Efficiency: eBPF operates at the kernel level, enabling low-overhead filtering directly within the networking layer. This reduces processing burden across the stack and allows each proxy instance to handle higher attack volumes with consistent performance.
Smarter in Scope, Targeting Only Confirmed Abusive Sources: Enforcement is based on signatures and real-time behavioral analysis. Only verified malicious IPs or GEO sources are blocked, ensuring precision without disrupting legitimate traffic or requiring coarse-grained rules.
Leverages Multi-Dimensional Packet-Level Context for Precise Blocking: eBPF enforcement filters traffic using a rich combination of attributes, including source IP and port, destination IP and service port, GEO-IP, ASN, and fingerprints. This deep, low-level context enables highly accurate, targeted mitigation, ensuring that only malicious traffic is blocked while preserving legitimate flows.

This architecture aligns with the needs of modern cloud-native infrastructure, offering speed, resilience, and distributed scalability.