eBPF-Based Real-Time DDoS Mitigation for IoT Edge Devices

TL;DR

This paper introduces an eBPF/XDP-based framework for real-time DDoS mitigation on IoT edge devices, demonstrating high effectiveness and minimal impact on legitimate traffic in both simulated and real-world tests.

Contribution

It presents a novel lightweight in-kernel DDoS mitigation system specifically designed for resource-constrained IoT edge devices using eBPF and XDP technologies.

Findings

Over 97% mitigation effectiveness against 100 Mbps floods

Legitimate traffic remains unaffected during attacks

System maintains stability under high network load

Abstract

The rapid expansion of the Internet of Things (IoT) has intensified security challenges, notably from Distributed Denial of Service (DDoS) attacks launched by compromised, resource-constrained devices. Traditional defenses are often ill-suited for the IoT paradigm, creating a need for lightweight, high-performance, edge-based solutions. This paper presents the design, implementation, and evaluation of an IoT security framework that leverages the extended Berkeley Packet Filter (eBPF) and the eXpress Data Path (XDP) for in-kernel mitigation of DDoS attacks. The system uses a rate-based detection algorithm to identify and block malicious traffic at the earliest stage of the network stack. The framework is evaluated using both Docker-based simulations and real-world deployment on a Raspberry Pi 4, showing over 97% mitigation effectiveness under a 100 Mbps flood. Legitimate traffic remains unaffected, and system stability is preserved even under attack. These results confirm that eBPF/XDP provides a viable and highly efficient solution for hardening IoT edge devices against volumetric network attacks.