XDP Rate Limiting (Enterprise)¶
Enterprise MarchProxy includes high-performance XDP-based rate limiting for ultimate traffic control and DDoS protection.
Overview¶
XDP (eXpress Data Path) rate limiting operates at the network driver level, providing:
- Ultra-high performance: Process packets before they hit the kernel network stack
- Low latency: Microsecond-level response times
- Efficient resource usage: Minimal CPU overhead
- Programmable filtering: eBPF-based rule engine
- Real-time statistics: Per-IP and global rate limiting metrics
Features¶
Rate Limiting Types¶
Per-IP Rate Limiting¶
- Track and limit packets per source IP address
- Configurable time windows (1 second to 1 hour)
- Automatic cleanup of expired entries
- Configurable maximum tracked IPs
Global Rate Limiting¶
- System-wide packet rate limits
- Protection against volumetric attacks
- Configurable burst allowances
- Integration with cluster-wide policies
Actions¶
When rate limits are exceeded, XDP can take the following actions:
- DROP: Silently drop packets (default)
- PASS: Allow packets to continue (monitoring mode)
- BOUNCE: Return ICMP destination unreachable
Configuration¶
Rate limiting is configured through the Manager portal:
Basic Settings¶
- Enable Rate Limiting: Toggle XDP rate limiting on/off
- Global Rate Limit: Maximum packets per second globally
- Per-IP Rate Limit: Maximum packets per second per IP
- Time Window: Evaluation period (1-3600 seconds)
- Action on Exceed: What to do when limits are exceeded
Advanced Settings¶
- Burst Size: Allow short bursts above the rate limit
- Cleanup Interval: How often to clean expired IP entries
- Max Tracked IPs: Maximum number of IPs to track simultaneously
- Hash Table Size: eBPF map size for IP tracking
Performance Characteristics¶
Throughput¶
- Without Rate Limiting: ~25 Gbps (XDP baseline)
- With Rate Limiting: ~20 Gbps (4 Gbps overhead)
- Packet Rate: Up to 30 million packets per second
Memory Usage¶
- Base Overhead: ~512 KB for eBPF programs and maps
- Per-IP Tracking: ~24 bytes per tracked IP address
- Maximum Memory: Configurable based on max tracked IPs
Latency Impact¶
- Additional Latency: < 1 microsecond per packet
- Map Lookup Time: ~100 nanoseconds
- Statistical Updates: ~50 nanoseconds
Configuration Examples¶
Basic DDoS Protection¶
rate_limiting:
enabled: true
global_rate_limit: 1000000 # 1M packets/sec
per_ip_rate_limit: 10000 # 10k packets/sec per IP
time_window: 1 # 1 second window
action: "drop" # Drop exceeding packets
burst_size: 100 # Allow 100 packet bursts
Monitoring Mode¶
rate_limiting:
enabled: true
global_rate_limit: 5000000 # Higher limit for monitoring
per_ip_rate_limit: 50000 # Monitor only, don't block
time_window: 10 # 10 second window
action: "pass" # Let all packets through
collect_stats: true # Collect statistics only
Strict Protection¶
rate_limiting:
enabled: true
global_rate_limit: 500000 # Strict global limit
per_ip_rate_limit: 1000 # Very strict per-IP limit
time_window: 1 # 1 second evaluation
action: "drop" # Drop immediately
burst_size: 10 # Small burst allowance
max_tracked_ips: 100000 # Track many IPs
Management Interface¶
Dashboard Overview¶
The rate limiting dashboard provides:
- Real-time Statistics: Current packet rates and drop counts
- Top Talkers: Highest traffic source IPs
- Historical Graphs: Rate limiting effectiveness over time
- Configuration Status: Current settings and eBPF program status
Monitoring Metrics¶
Global Metrics¶
xdp_total_packets: Total packets processedxdp_dropped_packets: Total packets droppedxdp_passed_packets: Total packets passedxdp_current_pps: Current packets per second
Per-IP Metrics¶
xdp_tracked_ips: Number of currently tracked IPsxdp_top_talkers: Top source IPs by packet ratexdp_blocked_ips: IPs currently being rate limited
Real-time Controls¶
- Enable/Disable: Toggle rate limiting on/off
- Adjust Limits: Modify rate limits without restart
- Reset Statistics: Clear collected statistics
- Whitelist IPs: Exclude specific IPs from rate limiting
Integration¶
License Validation¶
- Automatically disabled on Community Edition
- Enterprise license validation before activation
- Graceful degradation if license expires
Cluster Support¶
- Cluster-wide rate limiting policies
- Per-cluster configuration inheritance
- Independent rate limiting per cluster
Alerting Integration¶
- Prometheus metrics export
- Grafana dashboard templates
- Alert rules for rate limiting events
Troubleshooting¶
Common Issues¶
eBPF Program Load Failures¶
# Check kernel eBPF support
sudo bpftool prog list
# Verify XDP support on interface
sudo ip link show dev eth0
# Check eBPF program logs
sudo dmesg | grep -i ebpf
Performance Issues¶
# Monitor CPU usage
top -p $(pidof marchproxy-proxy)
# Check network interface statistics
sudo ethtool -S eth0
# Monitor eBPF map usage
sudo bpftool map list
Statistics Not Updating¶
# Verify eBPF program is loaded
curl http://localhost:8080/admin/ebpf/status
# Check rate limiting configuration
curl http://localhost:8080/admin/rate-limiting/config
# Test with traffic generator
iperf3 -c target-ip -u -b 100M
Performance Tuning¶
Kernel Configuration¶
# Increase eBPF memory limits
echo 'kernel.bpf.jit_enable = 1' >> /etc/sysctl.conf
echo 'kernel.bpf.jit_kallsyms = 1' >> /etc/sysctl.conf
# Optimize network buffers
echo 'net.core.rmem_max = 134217728' >> /etc/sysctl.conf
echo 'net.core.wmem_max = 134217728' >> /etc/sysctl.conf
# Apply settings
sysctl -p
Interface Optimization¶
# Enable XDP offload (if supported)
sudo ethtool -K eth0 hw-tc-offload on
# Optimize ring buffers
sudo ethtool -G eth0 rx 4096 tx 4096
# Set interface to performance mode
sudo ethtool -C eth0 rx-usecs 0 tx-usecs 0
API Reference¶
Get Rate Limiting Status¶
Update Configuration¶
curl -X POST http://localhost:8080/api/v1/rate-limiting/config \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"global_rate_limit": 1000000,
"per_ip_rate_limit": 10000,
"time_window": 1,
"action": "drop"
}'
Get Statistics¶
Reset Statistics¶
Next: TLS Proxy Configuration