SecurityBrief Ireland - Technology news for CISOs & cybersecurity decision-makers
Ireland
Cloudflare uses eBPF to boost edge security & routing

Cloudflare uses eBPF to boost edge security & routing

Thu, 16th Jul 2026 (Today)
Sofiah Nichole Salivio
SOFIAH NICHOLE SALIVIO News Editor

Cloudflare has outlined how it uses eBPF across its edge network for DDoS mitigation, networking, firewalling, load balancing and observability. The technology is now a core part of its infrastructure.

The internet infrastructure group described eBPF as a way to extend Linux kernel functions without relying on custom kernel modules or proprietary networking hardware. It has applied the approach across systems that inspect traffic, route sockets, trace performance issues and restart some services without downtime.

One of the main uses is DDoS defence. Cloudflare uses an XDP-based system called L4Drop to discard malicious traffic early, before packets reach the main kernel networking layer.

According to the company, the system can drop more than 10 million packets per second on a single CPU core. It added that the wider setup mitigated a 31.4 Tbps attack and a separate attack that peaked at 14.1 billion packets per second without human intervention.

Kernel changes

Cloudflare's work has not been limited to internal deployment. It contributed the sk_lookup eBPF hook to the Linux kernel and built a programmable socket routing system called Tubular on top of it.

That work addressed a scaling problem linked to Anycast networking and the handling of millions of IP addresses. Rather than depend on older Linux socket models and workarounds, Cloudflare can now route traffic to services more flexibly while allowing services to share IPs and ports at large scale.

The same technology has also been used in its firewall products. eBPF programs embedded in firewall processing pipelines support packet inspection, protocol validation and policy enforcement beyond its previous tooling.

Observability tools

Another strand of the deployment focuses on operational visibility. Cloudflare said standard observability tools did not give engineers enough detail about kernel-level behaviour, latency distributions or packet flows during incidents.

To address that, it built and deployed eBPF-based observability tools, including ebpf_exporter and tracing systems that collect latency histograms, kernel metrics, distributed tracing data and packet-level debugging information directly from the kernel.

Those tools helped engineers identify problems that traditional methods could not detect, including kernel race conditions, packet corruption, hidden latency spikes of more than 500 milliseconds and fragmentation buffer exhaustion.

Cloudflare also pointed to two other systems built with eBPF: udpgrm, which supports zero-downtime restarts for UDP services, and flowtrackd, which provides stateful TCP flow tracking for DDoS protection. Together, they reflect a broader effort to move networking and security logic closer to the kernel while keeping it changeable during operations.

Reducing complexity

The shift to eBPF let Cloudflare replace a mix of legacy systems, custom kernel patches and hardware-dependent designs with a more unified software model. Moving away from some kernel-bypass technologies also improved hardware flexibility across network interface card suppliers and server architectures.

That matters for operators running large distributed networks, where dependence on specific hardware can shape procurement choices and operational consistency. By placing more functionality inside standard Linux-based systems, companies can reduce the number of separate components needed to deliver security, traffic management and diagnostics.

Cloudflare also said it used eBPF-based load balancing to implement what it called "soft-unicast", a method that allows a single IPv4 address to be shared across dozens of physical servers. It said this helped it deal with IPv4 address scarcity inside its network.

The case illustrates how eBPF has moved beyond observability into production networking and security roles at large internet operators. Originally developed in the Linux ecosystem as a programmable framework for running sandboxed code in the kernel, eBPF is increasingly being used to alter how traffic is filtered, routed and measured without changing the kernel itself.

Cloudflare adopted eBPF because it wanted a vendor-neutral approach that could unify networking, security and observability functions within Linux. The result, it said, was a system that could be updated dynamically across its edge network without downtime or kernel instability.

It added that local detection through its dosd system now deploys mitigation rules in seconds rather than minutes, and that engineers can diagnose issues that had previously remained invisible in production environments.

"Today, eBPF powers critical networking, observability, and security services across Cloudflare's global edge infrastructure."