Recent kernel updates led by Google engineer Eric Dumazet, and first reported by Michael Larabel (Phoronix), show that Linux 6.18 delivers significant improvements in how servers handle high-rate DDoS traffic.
The work focuses on optimising the UDP receive path under stress—scenarios where multiple CPU cores handle massive packet floods targeting one or more sockets. Dumazet’s changes reduce lock contention and improve how packets are queued and processed across NUMA nodes, leading to much better scalability and stability during DDoS events.
What changed in Linux 6.18
The patch series reorganises several parts of the UDP and IPv6 stack for greater efficiency. Socket structures were streamlined to improve cache locality, while shared spinlocks were replaced with per-socket and per-NUMA-node lockless queues. This allows each CPU to handle incoming packets independently, reducing contention and making it possible to process traffic in batches without significant latency penalties.
The update also adopts skb_attempt_defer_free(), a mechanism that previously improved TCP performance, now applied to UDP for better memory handling under load. Together, these low-level changes reduce CPU overhead when many cores process concurrent packet streams.
Performance under DDoS conditions
Testing on a six-NUMA-node Intel Xeon platform demonstrated a 47% increase in UDP receive throughput during simulated DDoS attacks. The host processed an additional 14.2 million packets per second compared to previous kernel versions.
These improvements mean that Linux systems can now sustain higher packet rates before dropping traffic or experiencing congestion within the networking stack. Legitimate packets are less likely to be delayed or lost, even as total packet volume surges.
Implications for operators
For operators running Linux-based servers, these kernel changes provide a stronger foundation before any external mitigation kicks in. Services that rely on high-volume UDP traffic—such as DNS resolvers, game servers, or real-time applications—will see more predictable behaviour under flood conditions without additional tuning.
By reducing unnecessary CPU contention and dropped-packet noise, the update also improves the quality of network telemetry. This translates into cleaner signal data for tools such as FastNetMon, allowing for more accurate detection and faster response during attack events.
A quiet but meaningful milestone
Linux 6.18 is expected to become the next Long-Term Support (LTS) kernel release, meaning these improvements will soon reach most enterprise and cloud environments. While not a replacement for dedicated mitigation measures, the changes make Linux inherently more resilient—absorbing more attack traffic before defences need to activate.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats. For more information, visit https://fastnetmon.com