What XDP is
XDP stands for eXpress Data Path. It allows packet handling to happen at a very early stage in the Linux networking stack, before packets travel through the rest of the kernel network path.
That matters because every additional layer adds overhead. Under DDoS conditions, especially with small packets, reducing that overhead is often more important than anything else.
Why it is useful for mitigation
DDoS filtering is usually constrained by packet rate, not just by bandwidth. XDP allows filters to make a decision before the packet reaches conntrack, iptables, nftables or userspace collectors.
If the packet can be dropped immediately, the rest of the system never has to pay the cost of processing it.
What XDP is good at
- Early drops for obvious attack traffic
- Simple stateless packet validation
- Rate limiting and signature-based filtering
- High PPS handling with minimal per-packet work
What limits performance
XDP is fast, but not unlimited. Performance depends heavily on NIC behavior, driver support, queue layout, CPU topology, map design and how much logic is executed for each packet.
Simple drop logic scales far better than complex stateful behavior. Large dynamic maps, repeated lookups, packet rewriting and checksum generation all reduce throughput.
Typical processing model
match / validate / rate-limit →
XDP_DROP or XDP_PASS
Why early filtering wins
Once traffic is pushed into connection tracking, firewall state or userspace handling, the cost per packet increases sharply. That is exactly what high-PPS floods try to exploit.
XDP helps because it keeps the decision path short. The earlier the packet is dropped, the more capacity remains for legitimate traffic.
Where XDP fits
XDP is not a full replacement for every filtering layer. It is strongest as the first stage: fast path filtering, basic classification, rate limiting and early rejection.
More precise or stateful logic can still exist later in the pipeline, but the expensive path should only see traffic that already survived the cheap one.