Radware Ltd.

07/17/2025 | Press release | Distributed by Public on 07/17/2025 10:39

Kernel-Level Defense: How Radware Uses eBPF to Stop Volumetric Web DDoS Attacks

Web DDoS attacks have evolved into high-rate, Layer 7 floods generating tens of millions of legitimate-looking HTTP requests per second aiming to exhaust application resources and degrade its availability. These attacks are particularly challenging because they mimic normal user applicative behavior, making them extremely difficult to detect and mitigate using traditional methods.

Radware addresses this evolving threat with a layered mitigation strategy that combines:

  • Advanced Layer 7 dynamic real-time signature-based mitigation
  • Real-time blocking based on L3-L5 attributes: IP address, GEO IP, and TLS fingerprinting
  • High-speed eBPF-based enforcement embedded in our proxy kernel for efficient, large-scale mitigation

This approach enables precise attack detection and mitigation at the application layer genuinely combined with efficient enforcement at the OS level. It delivers high scalability without introducing any operational overhead, all L3 to L7 mitigation activities are done automatically without any need for SOC/NOC teams' involvement. This combined mitigation approach keeps the "Time To Mitigate" performance at the level of less than 10 seconds.

The Challenge: Volumetric Attacks at Layer 7

Unlike classic DDoS attacks that flood bandwidth or target transport protocols, Web DDoS floods use large volumes of seemingly valid HTTP requests to exhaust resources like CPU, memory, backend database capacity, and others.

Key Characteristics:

  • Distributed Across Thousands of Source IPs: Attackers use botnets to distribute the attack across many IP addresses and geographies, making it harder to block by simply blacklisting a few IPs or Territories. This distribution complicates mitigation, eliminates approaches of manual mitigation activities, and requires advanced detection and mitigation strategies.
  • High Request Rates with Low Payloads: In many cases, attackers use HTTP pipelining or rapid connection reuse to send a high volume of lightweight requests. While each request is inexpensive to send, collectively they overwhelm application threads, queues, or worker pools.
  • Mimic Legitimate Traffic: Attackers are using randomization such that their attack traffic resembles normal user behavior, with valid paths, headers, and user-agent strings. This makes signature-free, or manual, mitigation ultimately difficult without using behavioral and statistical analysis to automate mitigation.
  • Bypasses Traditional Defenses: Because these attacks operate at Layer 7, they evade L3 and L4 volumetric defenses and rate-limiters. Effective mitigation requires insight into application-layer behavior, not just traffic volume. Even exiting WAF L7 mechanisms, like JS based challenges, fail as attackers are able to bypass such JS based challenges by simply attacking paths within the application that do not support JS (like /API and similar).

How Radware Detects and Mitigates the Flood

Our Web DDoS mitigation engine analyzes incoming traffic Layer 7 patterns across multiple dimensions to accurately identify and classify malicious traffic. This multi-faceted approach ensures that we can detect and mitigate even the most sophisticated WEB DDoS attacks.

Traffic Analysis Dimensions: Multi-Dimensional Layer 7 Traffic Analysis

Accurate Web DDoS attack detection and mitigation require analyzing traffic at Layer 7. Attackers increasingly use a variety of Web DDoS tools designed to generate ultra-high RPS attack traffic while evading mitigation systems. These tools employ extensive randomization across Layer 7 dimensions, including cookies and query arguments, making attack traffic appear legitimate. A single tool can generate millions of distinct transactions.

In some cases, multiple hacker groups coordinate attacks across multiple botnets, each using different tools. The result is a sophisticated, large-scale attack that challenges conventional mitigation systems globally. Any attempt at manual, human-based mitigation against these attacks inevitably fails.

Radware's Multi-Dimensional L7 Analysis Approach

Radware's Web DDoS solution performs intensive, multi-dimensional Layer 7 traffic analysis across a wide range of L7 attributes. We strongly advocate that only this comprehensive, multi-aspect approach can deliver the accuracy required for effective Web DDoS detection and mitigation.

Radware's solution establishes rigorous Layer 7 traffic baselines to:

  • Detect abnormal surges in traffic while distinguishing legitimate flash crowds from attacks.
  • Accurately characterize attacker transactions, separating malicious traffic from legitimate flows.

These baselines enable the system to dynamically generate real-time Layer 7 signatures that precisely mitigate attacks as they evolve. Because attackers frequently change tactics, Radware's dynamic signature system continuously adapts in real time, ensuring effective mitigation even against attempts to evade detection. This comprehensive baselining and dynamic signature generation delivers "zero-minute" and often "zero-second" mitigation, making it an industry-leading solution.

While this would be an ideal place to showcase real-life attack examples and the L7 signatures generated, we have chosen not to provide advanced insights that could aid adversaries in bypassing our defenses.

Global Enforcement and Efficient Mitigation

During an active attack, real-time Layer 7 signatures are generated centrally in Radware's cloud services and are propagated globally to our Points of Presence (PoPs) within seconds. At each PoP, Radware's proxy enforces Layer 7 mitigation with high precision.

However, while L7 mitigation is highly accurate, it inherently carries operational costs due to its complexity. To address this, Radware has introduced combined mitigation capabilities: leveraging precise L7 intelligence to drive efficient Layer 3 enforcement using eBPF on our proxies in the PoP.

This "best of both worlds" approach leverages precise Layer 7 attacker profiling to enable efficient Layer 3 enforcement. Radware's system utilizes common attributes across Layers 3 to 7 for enforcement, including:

  • Attacker client IP addresses
  • GEO locations correlated with attacker IPs
  • TLS fingerprints

Using these dimensions, Radware's Web DDoS system dynamically identifies and validates attacker sources at Layer 7, then blocks malicious traffic efficiently at Layer 3. This ensures legitimate client traffic remains unaffected. GEO-based blocking is further refined using peacetime traffic baselines, minimizing the risk of collateral impact during active mitigation.

Additionally, identifying and enforcing attacker TLS fingerprints enables precise packet-level blocking, enhancing mitigation efficiency without compromising legitimate user experience.

Blocking at Scale: From L7 Mitigation to Kernel-Level

Enforcement

Once a volumetric Web DDoS signature is confirmed, the next step is to block malicious traffic efficiently and cost-effectively at massive scale, without degrading performance for legitimate users. This is where our use of eBPF technology comes into play.

Dynamic List of Abusive Actors

Radware compiles a list of abusive sources in real time based on:

  • High-frequency IPs
  • GEO-based clusters
  • ASN-level insights
  • TLS or session fingerprints

These indicators allow precise targeting of malicious actors while preserving legitimate traffic.

Radware's proprietary algorithms perform this classification within seconds, requiring no manual tuning and achieving fast, reliable mitigation while preserving service continuity for real users.

eBPF-Based Enforcement:

This curated list is enforced inside the proxy's Linux kernel using eBPF (extended Berkeley Packet Filter) technology. This approach offers:

  1. Install High-Speed Packet Filters Directly in the Proxy's Linux Kernel: This allows for real-time filtering of malicious traffic. eBPF filters operate at the kernel level, providing faster and more efficient traffic processing.
  2. Drop Malicious Traffic at the Socket Layer: By blocking traffic at the socket layer, we prevent it from consuming any proxy or application resources. This early-stage blocking ensures that malicious traffic does not impact server performance.
  3. Scale Mitigation Across Multiple Proxies providing "unlimited" scale: eBPF allows us to scale our mitigation efforts across multiple proxies without introducing significant latency. The distributed nature of eBPF filtering ensures that traffic is blocked efficiently across the network.

Benefits of In-Proxy Kernel Enforcement:

  • Fast, Efficient, and Accurate: Kernel-level eBPF filtering eliminates the overhead of user-space processing, enabling decisions to be made in microseconds. Filtering happens inline with packet reception, ensuring high throughput, minimal CPU usage, and deterministic performance under load.
  • Resilient to Attack Pattern Changes: By blocking at the source level-using IPs, GEOs, or behavioral clusters-the system remains effective even if the attacker changes HTTP paths, headers, or request patterns. This makes the mitigation strategy invariant to superficial L7 evasion tactics, ensuring long-term effectiveness without constant rule tuning.
  • Maintains Full Processing Power for Real Users Even During High-Rate Floods: By offloading the blocking to the kernel, we ensure that the proxy can continue to process legitimate traffic efficiently. This approach maintains server performance and availability during attacks.

This architecture allows us to handle millions of malicious requests per second with precision and efficiency where it matters most.

Under the Hood: How Radware Uses eBPF for High-Speed Blocking

To give technically inclined readers a clearer view, here's how Radware uses eBPF and XDP in our PoP proxies to enforce high-scale Web DDoS mitigation with minimal overhead.

Enforcement Pipeline

L7 Detection Generates Accurate Source Intelligence

Radware's L7 analysis identifies malicious actors based on:

  • Source IPs and GEOs
  • TLS fingerprints
  • Traffic behavior patterns

This intelligence is used to dynamically generate block signatures, which are pushed in real-time to PoP proxies.

Dynamic Block Maps in Kernel Space

Inside the proxy, Radware's eBPF programs use BPF maps to maintain:

  • Blocklists of abusive IP addresses (ip4_to_app_id, ip6_to_app_id)
  • GEO signature maps (app_to_sig_geo)
  • TLS or behavioral signatures

These maps are updated in real time by Golang user-space control planes, ensuring dynamic adaptation to attacker pattern changes.

XDP Program Logic

At the NIC level, Radware's XDP eBPF program efficiently enforces filtering by:

  • Extracting IP and GEO Information:
  • Looking Up Dynamic Block Maps:
  • Applying Drop or Pass Decisions:

Why This Matters

By using eBPF on the proxy itself, we bring the enforcement:

  • Closer to the Attack: Enforcement happens at the earliest possible stage within the proxy's stack. By blocking traffic before it reaches user space, system resources, such as CPU, memory, and sockets are preserved for processing legitimate requests.
  • Deeper into the Stack, Maximizing Efficiency: eBPF operates at the kernel level, enabling low-overhead filtering directly within the networking layer. This reduces processing burden across the stack and allows each proxy instance to handle higher attack volumes with consistent performance.
  • Smarter in Scope, Targeting Only Confirmed Abusive Sources: Enforcement is based on signatures and real-time behavioral analysis. Only verified malicious IPs or GEO sources are blocked, ensuring precision without disrupting legitimate traffic or requiring coarse-grained rules.
  • Leverages Multi-Dimensional Packet-Level Context for Precise Blocking: eBPF enforcement filters traffic using a rich combination of attributes, including source IP and port, destination IP and service port, GEO-IP, ASN, and fingerprints. This deep, low-level context enables highly accurate, targeted mitigation, ensuring that only malicious traffic is blocked while preserving legitimate flows.

This architecture aligns with the needs of modern cloud-native infrastructure, offering speed, resilience, and distributed scalability.

Conclusion

Defending against volumetric Web DDoS attacks requires more than anomaly detection. It demands real-time enforcement exactly where the traffic enters your infrastructure.

Radware's Cloud WAAP and Web DDoS protection platform combines:

  • Advanced Layer 7 behavioral detection and signature correlation
  • Real-time source clustering using IP, GEO, and TLS patterns
  • Kernel-level eBPF enforcement embedded in the proxy

Together, these technologies deliver precise, efficient, and scalable mitigation. Even during extreme floods, legitimate users remain unaffected and applications stay responsive.

Posted in: Application Protection
Radware Ltd. published this content on July 17, 2025, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 17, 2025 at 16:39 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at support@pubt.io