We have finalized a comprehensive hardening update across our entire network stack. Our packet processing pipeline has been fully migrated to XDP native mode, enabling wire-speed traffic evaluation directly at the NIC driver level-before any kernel processing occurs. This reduces per-packet overhead significantly and improves responsiveness under high concurrency.
On the cryptographic side, we have tightened our TLS configuration. All CBC-based cipher suites have been removed, leaving only modern AEAD ciphers (AES-GCM and ChaCha20-Poly1305). Session ticket reuse has been disabled to enforce strict forward secrecy on every connection. We have also tuned our HTTP/2 stream handling and connection limits for better resilience under load.
We have completed a major infrastructure hardening cycle, migrating our packet processing pipeline to XDP native mode and modernizing our TLS configuration to eliminate weak cipher suites.
Highlights
- XDP native mode-wire-speed packet processing at NIC driver level
- Removed all CBC cipher suites (AES-128-CBC, AES-256-CBC)
- Disabled TLS session tickets for strict forward secrecy
- HTTP/2 concurrent stream limits tightened
- Connection and request rate limits rebalanced for DoH workloads