Netflix Solves the EBPF Flow Log IP Address Attribution Problem
Netflix previously used eBPF to collect TCP flow logs, but IP address attribution issues rendered the data unreliable. The initial approach relied on a Sonar service, but suffered from delays and inaccuracies. To solve this, Netflix redesigned its attribution method. For local IP addresses, it leverages EC2 instance certificates or utilizes the IPMan service and eBPF maps to handle container workloads. For remote IP addresses, FlowCollector collects flow logs and uses timestamps and local IP address attribution information to infer remote IP address ownership. A Kafka-based mechanism shares data across nodes, addressing regionalization and non-workload IP address attribution. Finally, validation using the Zuul service demonstrates that the new method effectively eliminates misattribution, making eBPF flow logs provide reliable network insights.