For the last year, we've been working hard to optimize CloudFlare's infrastructure to survive different types of denial of service attacks. If you have plenty of servers the usual advice of "buy more bandwidth" may be sufficient, but it certainly wasn't useful to us. At some point you need to do _something_ with the incoming traffic, and the servers have only so many CPU cycles. In this talk, we'll share our experiences in defending our services. We'll go through many layers, from flowspec and sflow, to ethtool tweaks, kernel bypass techniques, iptables examples to useful sysctls. We'll touch on details such as: why increasing backlog queue size may hurt you, why your servers can't send more than 200k syn cookies per second, how to stop a botnet with iptables ipsets and hashlimits, when enabling conntrack makes sense or how to process 10M pps on a single commodity server. Our favorite defense techniques are using BPF, so we will spent a fair bit of time discussing this. We'll discuss what we tried, what worked, what didn't, and why some of the technically sound ideas turned up to be totally impractical. Our experience is in defending HTTP/S and DNS services, on which this talk will focus, but our techniques are applicable to the usual variety of DDoS'es like Chargen, SSDP, NTP or DNS reflection.