Have you heard of eBPF? It’s a powerful technology that’s changing the game for application delivery and observability. In this blog post, we’ll explore what eBPF is, how it works, and why it matters for your organization. Whether you’re a developer, operations engineer, or security professional, understanding eBPF is essential for creating fast, secure, and reliable applications.
eBPF stands for “Extended Berkeley Packet Filter” and is a powerful technology that sits inside the Linux kernel.eBPF is a framework for running programs in kernel space without altering the kernel or loading kernel modules. These programs can be attached to different kernel resources and triggered by events like a socket receiving data. For instance, It allows you to inspect and manipulate network packets and system events at runtime without requiring any changes to your application code. This means you can add powerful functionality to your applications without having to refactor your codebase.
An Analogy
Imagine the Linux kernel as a large, complex factory with various departments such as network processing, file system management, system calls, etc. Traditionally, if you wanted to change something in this factory, you’d need to alter the factory’s blueprints (the kernel source code) and rebuild the whole factory (recompile and reboot the kernel). This is complicated, risky, and disrupts the factory’s operations.
eBPF is like giving you a magic toolset that allows you to add or modify machinery within this running factory without having to stop or rebuild it. You can use this toolset to install little robots (eBPF programs) in specific departments of the factory (attach to certain kernel functions).
Each robot is built to perform a specific task, such as tracking how many products pass through a certain department (network packet processing, for example) or modifying how products are handled (manipulating network packets). The factory’s management (the kernel’s eBPF verifier) first thoroughly checks each robot to make sure it’s safe and won’t disrupt the factory’s operations.
Once a robot is approved and installed, it can do its job whenever it’s needed, and it can communicate with the outside world (user space) to report what it’s doing or receive instructions.
In this way, eBPF provides a flexible, safe, and efficient mechanism to modify the kernel’s behavior and monitor its operations without having to change the kernel’s source code or disrupt its operations.
Advantages
One of the key advantages of eBPF is its speed. Because it runs inside the kernel, eBPF can operate at almost line speed, allowing it to process large amounts of data quickly and efficiently. This makes it ideal for use cases that require high performance, such as packet filtering, load balancing, and traffic shaping.
eBPF comes with built-in security features. Whenever a process wants to load an eBPF program, the program must first pass through the eBPF verifier. The verifier checks the safety of the program. This verification ensures, for instance, that the program will always run to completion. It prevents situations where an eBPF program may block or remain stuck in a loop indefinitely.
eBPF offers flexibility in terms of allowing custom programs to be executed in the kernel without modifying the kernel’s source code or loading kernel modules. This feature makes eBPF suitable for a diverse range of tasks from security and networking to observability. Additionally, eBPF integrates seamlessly with many existing tools and frameworks in Linux, such as the traffic control command tc and orchestration systems like Kubernetes.
Disadvantages
eBPF is only available on Linux kernels, which can pose a challenge for teams using Kubernetes or containers that aren’t on Linux. However, eBPF is being developed for Windows.
Of course, there are also security concerns - Linux malware using eBPF is a growing concern among security experts due to recent CVE reports presented at conferences like DEFCON and BlackHat. See specific examples in this blog post.
The process of implementing security checks and enforcing EBPF programs can increase complexity. Writing and debugging EBPF programs may be difficult due to the limitations on these programs, such as the prohibition of loops.
Examples
eBPF can be used in various ways to enhance performance, security, and observability. Here are a few examples of how eBPF can be leveraged in application delivery solutions:
Load Balancing
eBPF programs can be used to implement load-balancing algorithms directly in the kernel. By capturing and analyzing network traffic, eBPF can distribute incoming requests across backend servers based on factors such as server health, capacity, or request characteristics. This allows for efficient load balancing without the need for an external load balancer. Katran is a C++ library and BPF program that creates a layer four load-balancing forwarding plane for high-performance purposes. This is made possible by utilizing XDP infrastructure already present in the kernel to enable quick packet processing within the kernel itself.
Traffic Shaping
eBPF enables fine-grained control over network traffic by allowing you to modify packets in real time. With eBPF, you can implement traffic-shaping algorithms to prioritize certain types of traffic or enforce bandwidth limits. This can be particularly useful in ensuring fair distribution of resources and preventing congestion in application delivery scenarios. An example is Cilium’s (or the enterprise implementation by Isovalent) Bandwidth Manager, which optimizes bandwidth and latency with rate limiting and fair queuing using TCP congestion control algorithm optimization at the EBPF Layer.
Security and DDoS Mitigation
eBPF can be used to implement network security measures directly in the kernel. By analyzing packets at high speed, eBPF programs can detect and block malicious traffic patterns, identify DDoS attacks, or apply access control policies. This helps protect applications and infrastructure from various security threats. An example here is NGINX App Protect DoS uses eBPF technology to detect and stop malicious traffic, increasing efficiency and conserving resources. It drops traffic at Layer 4, accelerating DDoS mitigation before reaching Layer 7. This efficient solution identifies and blocks attackers based on the source IP address or TLS fingerprint.
Observability and Monitoring
Using eBPF for observability is a secure and isolated approach that enhances the visibility and accuracy of infrastructure and network events. This method does not disrupt operations and can be exported to centralized platforms, making troubleshooting and observability easier. Additionally, when using eBPF for distributed tracing or in Kubernetes, deeper insights into events can be gathered and custom metrics can be collected and aggregated from various system sources. The Pixie platform, which was acquired by New Relic, is an open-source observability platform that is native to Kubernetes and works within the cluster. This platform allows for quick and effortless visibility into Kubernetes workloads without requiring manual instrumentation.
Conclusion
In this blog post, we have discussed what eBPF is, why it matters, and how it provides several benefits over traditional methods of monitoring and securing applications. Its versatility, efficiency, and security capabilities make it an ideal technology for modern application environments. As a sales engineer, I strongly recommend that you explore eBPF and its potential to transform your application delivery and security strategy.