[LinuXY]

We chose SolarFlare+Onload over Intel with pf_ring+DNA or DPDK mainly because of the fully featured TCP stack. While it may make sense for us to develop our own in the future, it does not currently. Additionally the SolarFlare cards gave us the benefit of 16MB buffers which could allow us to go with switches that have shallow buffers (cheaper.) There's also processing done on an FPGA on the card itself which allow us to drop packets on the card before they reach the machine all together, which is /really/ a boon under DDoS. SolarFlare has been a great partner in their willingness to work on our (non-standard) use case, which is something that is hard to find when dealing with larger vendors.

[samstave]

How often are you experiencing DDoS attacks?

(I fully understand designing for the event - but the emphasis on it in the post makes it seem that you're under constant threat. I am assuming it is your customers that are actually being DDoS'd and Cloudflare just needs to be built up to stand against DDoS in this case??)

[eastdakota]

It is usually our customers who are attacked, but that hits our network so we need to be able to mitigate it. Last week we saw 163 "significant" attacks (which is a fairly typical week). A "significant" attack is one that generally exceeds 10Gbps, 5M PPS, or finds another way to affect other customers to the point that our ops team is alerted.

[newman314]

Has Cloudflare done any testing with CoDel and bufferbloat?