SlideShare a Scribd company logo

DoS and DDoS mitigations with eBPF, XDP and DPDK

Marian Marinov
Marian Marinov

The document compares eBPF, XDP and DPDK for packet inspection. It describes the speaker's experience using these tools to build a virtual machine that can handle 10Gbps of traffic and drop packets to mitigate DDoS attacks. It details how eBPF and XDP were able to achieve higher packet drop rates than iptables or a custom module. While DPDK could drop traffic at line rate, it required specialized hardware and expertise. Ultimately, XDP provided the best balance of performance, driver support and programmability using eBPF to drop millions of packets per second.

Engineering
1 of 36
Download to read offline
Comparison of  eBPF, XDP and DPDK for packet inspection Marian Marinov <mm@yuhu.biz> Chief System Architect of SiteGround Linux Piter 2019
Who am I?Who am I? ❖❖ Who am I?Who am I? - Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com - Sysadmin since 1996- Sysadmin since 1996 - Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl Workshops, LUG-BG, RailsGirls and othersWorkshops, LUG-BG, RailsGirls and others - Teaching Network Security and Linux- Teaching Network Security and Linux System Administration courses in SofiaSystem Administration courses in Sofia University and SoftUniUniversity and SoftUni
Why do we need this?Why do we need this? Frequency of DoS/DDoS attacks to ourFrequency of DoS/DDoS attacks to our infrastructureinfrastructure ➢ 4-10 Gbps 6-8 times a month4-10 Gbps 6-8 times a month ➢ 10-40 Gbps maybe 2-3 times a month10-40 Gbps maybe 2-3 times a month ➢ 100+ Gbps around 2 times a month100+ Gbps around 2 times a month
More statsMore stats Attacks resulting in service degradation:Attacks resulting in service degradation: ➢ for the past 276 days we had 31 DDoS attacks ➢ some of the months, no attackssome of the months, no attacks ➢ but some months, up to 9but some months, up to 9 ➢ 2019 – 31 attacks2019 – 31 attacks ➢ 2018 – 75 attacks2018 – 75 attacks ➢ 2017 – 69 attacks2017 – 69 attacks ➢ 2016 – 84 attacks2016 – 84 attacks Note: I have manually counted the e-mails. The numbers can be slightly inaccurate.Note: I have manually counted the e-mails. The numbers can be slightly inaccurate.
Most attacks are basicMost attacks are basic ➢ 20k pps toward ISC Bind can consume20k pps toward ISC Bind can consume up to 30 CPU coresup to 30 CPU cores ➢ a child can generate that on its laptop, at homea child can generate that on its laptop, at home
General solutionsGeneral solutions ➢ Buy additional bandwidthBuy additional bandwidth ➢ Buy a very expensive scrubbing deviceBuy a very expensive scrubbing device OROR ➢ Offload this task to other companies, likeOffload this task to other companies, like CloudFlareCloudFlare
Hosted solution issuesHosted solution issues ➢ Not every DataCenter is wiling to invest inNot every DataCenter is wiling to invest in these devicesthese devices ➢ Shared devicesShared devices ➢ Attacks can be larger then the capacity of theAttacks can be larger then the capacity of the devicedevice ➢ Larger attacks almost always result in null routeLarger attacks almost always result in null route ➢ Attacks saturating the uplinks can affect otherAttacks saturating the uplinks can affect other machines in the rack and/or rowmachines in the rack and/or row
Cloud solution issuesCloud solution issues ➢ You have to point your DNS to the serviceYou have to point your DNS to the service providerprovider ➢ Controlling your DNS is now only API basedControlling your DNS is now only API based ➢ Large DNS updates become an issueLarge DNS updates become an issue ➢ Not suitable for hosting companiesNot suitable for hosting companies
Requirements?Requirements? ➢ Build a VM that can handle 10Gbps withBuild a VM that can handle 10Gbps with ~8Mpps~8Mpps ➢ Why a VM?Why a VM? ➢ scrub UDP DNS and NTP trafficscrub UDP DNS and NTP traffic ➢ scrub TCP traffic by implementing SYN cookiesscrub TCP traffic by implementing SYN cookies ➢ scrub all unrelated trafficscrub all unrelated traffic ➢ cache HTTP responses(wishful thinking) :)cache HTTP responses(wishful thinking) :)
Linux Network FlowLinux Network Flow
Linux Network FlowLinux Network Flow
Linux Network FlowLinux Network Flow
Linux Network FlowLinux Network Flowreceived packet XDP eBPF alloc_skb ingress (qdisc) bridge check broute brouting bridge check nat prerouting raw prerouting mangle forward nat prerouting bridging decision filter forward filter input routing decision filter forward mangle prerouting mangle forward filter forward mangle forward nat postrouting mangle postrouting mangle postrouting nat postrouting nat postrouting conntrack nat output filter output nat postrouting bdrige netfilter egress (qdisc) other net
10M packet drop10M packet drop ➢ in 2018 CloudFlare published the article:in 2018 CloudFlare published the article: How to drop 10m packetsHow to drop 10m packets ➢ I confirm their results with a few additions:I confirm their results with a few additions: ➢ iptables can drop at best 2m ppsiptables can drop at best 2m pps Note: with only one entry in the PREROUTING chain of the mangle tableNote: with only one entry in the PREROUTING chain of the mangle table ➢ heaving multiple entries in that chain easilyheaving multiple entries in that chain easily becomes a problembecomes a problem ➢ even if you use ipset with that, you have a bigeven if you use ipset with that, you have a big problem when updating that informationproblem when updating that information
CloudFlare resultsCloudFlare results
CloudFlare results XDPCloudFlare results XDP
10M packet drop10M packet drop ➢ CloudFlare demo code can be found on GitHub
So, how I started?So, how I started? ➢ I already knew about XDPI already knew about XDP ➢ But I decided to be “smart ass” and wrote anBut I decided to be “smart ass” and wrote an iptables module...iptables module... ➢ It could handle between 260k and 280k ppsIt could handle between 260k and 280k pps
Not good enough... eBPFNot good enough... eBPF ➢ I also knew I can use eBPF for that...I also knew I can use eBPF for that... ➢ from the talk of Daniel Borkmann fromfrom the talk of Daniel Borkmann from FOSDEM 2016FOSDEM 2016 ➢ It was better, but not enough...It was better, but not enough... ➢ 320-350k pps drop rate320-350k pps drop rate ➢ with 2000 domains and UDP packet checkingwith 2000 domains and UDP packet checking ➢ no checksums thouno checksums thou
DPDKDPDK ➢ I had previous experience with DPDK ➢ So I ordered one Intel and one SolarFlare NICs ➢ With both I managed to drop anything that was below the 10G limit of the cards ➢ With SolarFlare I even tested uploading code into the NIC it self Data Plane Development Kit
Complex DPDKComplex DPDK ➢ Nobody, except me, was interested in supporting DPDK code ➢ Writing and updating DPDK is not trivial ➢ DPDK required specific HW that may not be available in the DataCenter Data Plane Development Kit
DPDK and P4DPDK and P4 ➢ A friend(Boyan Krosnov) told me about P4A friend(Boyan Krosnov) told me about P4 ➢ P4 made updating the logic and content of theP4 made updating the logic and content of the filter program a lot simpler for me...filter program a lot simpler for me... Data Plane Development Kit
P4 and peopleP4 and people ➢ P what?P what? ➢ If we were to use DPDK with P4, everyone hadIf we were to use DPDK with P4, everyone had to learn the language :(to learn the language :( Data Plane Development Kit
And then came XDPAnd then came XDPreceived packet XDP eBPF alloc_skb ingress (qdisc) bridge check broute brouting bridge check nat prerouting raw prerouting mangle forward nat prerouting bridging decision filter forward filter input routing decision filter forward mangle prerouting mangle forward filter forward mangle forward nat postrouting mangle postrouting mangle postrouting nat postrouting nat postrouting conntrack nat output filter output nat postrouting bdrige netfilter egress (qdisc) other net
And then came XDPAnd then came XDP ➢ Extremely fast and closest to the NIC, same asExtremely fast and closest to the NIC, same as DPDKDPDK ➢ Supported by many driversSupported by many drivers ➢ Extendable with eBPF functionsExtendable with eBPF functions ➢ Developed by Jasper BrouerDeveloped by Jasper Brouer eXpress Data Path
What I ended up, with?What I ended up, with? ➢ A filter similar to what CF did with their DROP example ➢ instead of a comparing a single prefix, I'm extracting the UDP data if the packet is UDP ➢ then the extracted data is compared with a BPF map ➢ I wrote a simple user space tool, that updates the map in the kernel ➢ voila I had a fast scrubber eXpress Data Path
the UDP scrubberthe UDP scrubber ➢ if the DNS request is not for a domain that is within the list in the map I drop the packet ➢ ToDo: add caching of responses with TTL eXpress Data Path
the TCP scrubberthe TCP scrubber This is where I had to stop :( ➢ compare the packet's dst port and allow it only if it is: ➢ SYN to a port that is allowed ➢ send and receive SYN cookies here ➢ part of already existing connection by examining its own db of tuples and the supplied by the user space(other VMs) eXpress Data Path
the TCP scrubberthe TCP scrubber This is where I had to stop :( ➢ It should handle the SYN cookie for the servers behind and replay the initial SYN if correct SYN,ACK is received eXpress Data Path
Testing the bastardTesting the bastard I knew I was able to drop packets fast... But I needed a proof ;) ➢ I had a talk with Jasper at Linux Plumbers 2019I had a talk with Jasper at Linux Plumbers 2019 ➢ He pointed me toHe pointed me to his patched version of pktgenhis patched version of pktgen on GitHub :)on GitHub :)
Now...Now... How to get from 10GbpsHow to get from 10Gbps to 200Gbps?to 200Gbps?
Now...Now... How to get from 10GbpsHow to get from 10Gbps to 200Gbps?to 200Gbps? ➢ Combining multiple VMs with ECMP ➢ I did that directly on the switch :)
LinksLinks How to drop 10 million packets per secondHow to drop 10 million packets per second https://blog.cloudflare.com/how-to-drop-10-million-packets/ https://github.com/cloudflare/cloudflare-blog/tree/master/2018-0 7-dropping-packets XDP tutorialXDP tutorial https://github.com/xdp-project/xdp-tutorial More XDP materials:More XDP materials: https://www.iovisor.org/technology/xdp Enhanced pktgen by JasperEnhanced pktgen by Jasper https://github.com/netoptimizer/network-testing
LinksLinks Linux tc and eBPFLinux tc and eBPF https://archive.fosdem.org/2016/schedule/event/ebpf/attachments/s lides/1159/export/events/attachments/ebpf/slides/1159/ebpf.pdf man pagesman pages http://man7.org/linux/man-pages/man8/tc-bpf.8.html http://man7.org/linux/man-pages/man2/bpf.2.html SolarFlare AOR firmware development kitSolarFlare AOR firmware development kit https://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=1585 Data Plane Development KitData Plane Development Kit https://www.dpdk.org/ P4 Language SpecificationP4 Language Specification https://p4.org/p4-spec/docs/P4-16-v1.0.0-spec.pdf P4 meets DPDKP4 meets DPDK https://www.dpdk.org/wp-content/uploads/sites/35/2017/09/DP DK-Userspace2017-Day2-12-SANDOR_LAKI-T4P4S.pdf
Thank you!Thank you!

Recommended

BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
C4Media
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
Ray Jenkins
 

Recommended

BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
C4Media
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
Ray Jenkins
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
Michael Kehoe
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
lcplcp1
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
RogerColl2
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
Netronome
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
oholiab
 

More Related Content

What's hot

BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
Michael Kehoe
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
lcplcp1
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
RogerColl2
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
Netronome
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 

What's hot (20)

BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 

Similar to DoS and DDoS mitigations with eBPF, XDP and DPDK

Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
oholiab
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"
Faelix Ltd
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
Emin Abdul Azeez
 
Live Transcript Delivery
Live Transcript DeliveryLive Transcript Delivery
Live Transcript Delivery
Grzegorz Kolpuc
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13
Jaime Sánchez
 
IPVS for Docker Containers
IPVS for Docker ContainersIPVS for Docker Containers
IPVS for Docker Containers
Bob Sokol
 
[En] IPVS for Docker Containers
[En] IPVS for Docker Containers[En] IPVS for Docker Containers
[En] IPVS for Docker Containers
Andrey Sibirev
 
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS FabricNFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabricozkan01
 
Deploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise EnvironmentsDeploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise Environments
inovex GmbH
 
COSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxCOSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge Box
Shihta Kuan
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDK
Kernel TLV
 
Netcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army KnifeNetcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army Knife
n|u - The Open Security Community
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 
DockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing AureaDockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing Aurea
Łukasz Piątkowski
 
Artillery Duel Network
Artillery Duel NetworkArtillery Duel Network
Artillery Duel Network
Leif Bloomquist
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 

Similar to DoS and DDoS mitigations with eBPF, XDP and DPDK (20)

Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
Live Transcript Delivery
Live Transcript DeliveryLive Transcript Delivery
Live Transcript Delivery
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13
 
IPVS for Docker Containers
IPVS for Docker ContainersIPVS for Docker Containers
IPVS for Docker Containers
 
[En] IPVS for Docker Containers
[En] IPVS for Docker Containers[En] IPVS for Docker Containers
[En] IPVS for Docker Containers
 
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS FabricNFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
 
Deploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise EnvironmentsDeploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise Environments
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
COSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxCOSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge Box
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDK
 
Netcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army KnifeNetcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army Knife
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 
DockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing AureaDockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing Aurea
 
Artillery Duel Network
Artillery Duel NetworkArtillery Duel Network
Artillery Duel Network
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
 

More from Marian Marinov

How to implement PassKeys in your application
How to implement PassKeys in your applicationHow to implement PassKeys in your application
How to implement PassKeys in your application
Marian Marinov
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
Marian Marinov
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
Marian Marinov
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
Marian Marinov
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
Marian Marinov
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Marian Marinov
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
Marian Marinov
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
Marian Marinov
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
Marian Marinov
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
Marian Marinov
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
Marian Marinov
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
Marian Marinov
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
Marian Marinov
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
Marian Marinov
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
Marian Marinov
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
Marian Marinov
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
Marian Marinov
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel tracking
Marian Marinov
 
Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of servers
Marian Marinov
 
Let's Encrypt failures
Let's Encrypt failuresLet's Encrypt failures
Let's Encrypt failures
Marian Marinov
 

More from Marian Marinov (20)

How to implement PassKeys in your application
How to implement PassKeys in your applicationHow to implement PassKeys in your application
How to implement PassKeys in your application
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel tracking
 
Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of servers
 
Let's Encrypt failures
Let's Encrypt failuresLet's Encrypt failures
Let's Encrypt failures
 

Recently uploaded

Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
Massimo Talia
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
Pipe Restoration Solutions
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation & Control
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
karthi keyan
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
obonagu
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
Intella Parts
 
Democratizing Fuzzing at Scale by Abhishek Arya
Democratizing Fuzzing at Scale by Abhishek AryaDemocratizing Fuzzing at Scale by Abhishek Arya
Democratizing Fuzzing at Scale by Abhishek Arya
abh.arya
 
Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
seandesed
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
FluxPrime1
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
Jayaprasanna4
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
Pratik Pawar
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
gdsczhcet
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
Kamal Acharya
 
Halogenation process of chemical process industries
Halogenation process of chemical process industriesHalogenation process of chemical process industries
Halogenation process of chemical process industries
MuhammadTufail242431
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
AhmedHussein950959
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
fxintegritypublishin
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
R&R Consult
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
Neometrix_Engineering_Pvt_Ltd
 

Recently uploaded (20)

Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024Nuclear Power Economics and Structuring 2024
Nuclear Power Economics and Structuring 2024
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
 
Democratizing Fuzzing at Scale by Abhishek Arya
Democratizing Fuzzing at Scale by Abhishek AryaDemocratizing Fuzzing at Scale by Abhishek Arya
Democratizing Fuzzing at Scale by Abhishek Arya
 
Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
 
Halogenation process of chemical process industries
Halogenation process of chemical process industriesHalogenation process of chemical process industries
Halogenation process of chemical process industries
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 

DoS and DDoS mitigations with eBPF, XDP and DPDK

  • 2. Who am I?Who am I? ❖❖ Who am I?Who am I? - Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com - Sysadmin since 1996- Sysadmin since 1996 - Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl Workshops, LUG-BG, RailsGirls and othersWorkshops, LUG-BG, RailsGirls and others - Teaching Network Security and Linux- Teaching Network Security and Linux System Administration courses in SofiaSystem Administration courses in Sofia University and SoftUniUniversity and SoftUni
  • 3. Why do we need this?Why do we need this? Frequency of DoS/DDoS attacks to ourFrequency of DoS/DDoS attacks to our infrastructureinfrastructure ➢ 4-10 Gbps 6-8 times a month4-10 Gbps 6-8 times a month ➢ 10-40 Gbps maybe 2-3 times a month10-40 Gbps maybe 2-3 times a month ➢ 100+ Gbps around 2 times a month100+ Gbps around 2 times a month
  • 4. More statsMore stats Attacks resulting in service degradation:Attacks resulting in service degradation: ➢ for the past 276 days we had 31 DDoS attacks ➢ some of the months, no attackssome of the months, no attacks ➢ but some months, up to 9but some months, up to 9 ➢ 2019 – 31 attacks2019 – 31 attacks ➢ 2018 – 75 attacks2018 – 75 attacks ➢ 2017 – 69 attacks2017 – 69 attacks ➢ 2016 – 84 attacks2016 – 84 attacks Note: I have manually counted the e-mails. The numbers can be slightly inaccurate.Note: I have manually counted the e-mails. The numbers can be slightly inaccurate.
  • 5. Most attacks are basicMost attacks are basic ➢ 20k pps toward ISC Bind can consume20k pps toward ISC Bind can consume up to 30 CPU coresup to 30 CPU cores ➢ a child can generate that on its laptop, at homea child can generate that on its laptop, at home
  • 6. General solutionsGeneral solutions ➢ Buy additional bandwidthBuy additional bandwidth ➢ Buy a very expensive scrubbing deviceBuy a very expensive scrubbing device OROR ➢ Offload this task to other companies, likeOffload this task to other companies, like CloudFlareCloudFlare
  • 7. Hosted solution issuesHosted solution issues ➢ Not every DataCenter is wiling to invest inNot every DataCenter is wiling to invest in these devicesthese devices ➢ Shared devicesShared devices ➢ Attacks can be larger then the capacity of theAttacks can be larger then the capacity of the devicedevice ➢ Larger attacks almost always result in null routeLarger attacks almost always result in null route ➢ Attacks saturating the uplinks can affect otherAttacks saturating the uplinks can affect other machines in the rack and/or rowmachines in the rack and/or row
  • 8. Cloud solution issuesCloud solution issues ➢ You have to point your DNS to the serviceYou have to point your DNS to the service providerprovider ➢ Controlling your DNS is now only API basedControlling your DNS is now only API based ➢ Large DNS updates become an issueLarge DNS updates become an issue ➢ Not suitable for hosting companiesNot suitable for hosting companies
  • 9. Requirements?Requirements? ➢ Build a VM that can handle 10Gbps withBuild a VM that can handle 10Gbps with ~8Mpps~8Mpps ➢ Why a VM?Why a VM? ➢ scrub UDP DNS and NTP trafficscrub UDP DNS and NTP traffic ➢ scrub TCP traffic by implementing SYN cookiesscrub TCP traffic by implementing SYN cookies ➢ scrub all unrelated trafficscrub all unrelated traffic ➢ cache HTTP responses(wishful thinking) :)cache HTTP responses(wishful thinking) :)
  • 10. Linux Network FlowLinux Network Flow
  • 11. Linux Network FlowLinux Network Flow
  • 12. Linux Network FlowLinux Network Flow
  • 13. Linux Network FlowLinux Network Flowreceived packet XDP eBPF alloc_skb ingress (qdisc) bridge check broute brouting bridge check nat prerouting raw prerouting mangle forward nat prerouting bridging decision filter forward filter input routing decision filter forward mangle prerouting mangle forward filter forward mangle forward nat postrouting mangle postrouting mangle postrouting nat postrouting nat postrouting conntrack nat output filter output nat postrouting bdrige netfilter egress (qdisc) other net
  • 14. 10M packet drop10M packet drop ➢ in 2018 CloudFlare published the article:in 2018 CloudFlare published the article: How to drop 10m packetsHow to drop 10m packets ➢ I confirm their results with a few additions:I confirm their results with a few additions: ➢ iptables can drop at best 2m ppsiptables can drop at best 2m pps Note: with only one entry in the PREROUTING chain of the mangle tableNote: with only one entry in the PREROUTING chain of the mangle table ➢ heaving multiple entries in that chain easilyheaving multiple entries in that chain easily becomes a problembecomes a problem ➢ even if you use ipset with that, you have a bigeven if you use ipset with that, you have a big problem when updating that informationproblem when updating that information
  • 18. So, how I started?So, how I started? ➢ I already knew about XDPI already knew about XDP ➢ But I decided to be “smart ass” and wrote anBut I decided to be “smart ass” and wrote an iptables module...iptables module... ➢ It could handle between 260k and 280k ppsIt could handle between 260k and 280k pps
  • 19. Not good enough... eBPFNot good enough... eBPF ➢ I also knew I can use eBPF for that...I also knew I can use eBPF for that... ➢ from the talk of Daniel Borkmann fromfrom the talk of Daniel Borkmann from FOSDEM 2016FOSDEM 2016 ➢ It was better, but not enough...It was better, but not enough... ➢ 320-350k pps drop rate320-350k pps drop rate ➢ with 2000 domains and UDP packet checkingwith 2000 domains and UDP packet checking ➢ no checksums thouno checksums thou
  • 20. DPDKDPDK ➢ I had previous experience with DPDK ➢ So I ordered one Intel and one SolarFlare NICs ➢ With both I managed to drop anything that was below the 10G limit of the cards ➢ With SolarFlare I even tested uploading code into the NIC it self Data Plane Development Kit
  • 21. Complex DPDKComplex DPDK ➢ Nobody, except me, was interested in supporting DPDK code ➢ Writing and updating DPDK is not trivial ➢ DPDK required specific HW that may not be available in the DataCenter Data Plane Development Kit
  • 22. DPDK and P4DPDK and P4 ➢ A friend(Boyan Krosnov) told me about P4A friend(Boyan Krosnov) told me about P4 ➢ P4 made updating the logic and content of theP4 made updating the logic and content of the filter program a lot simpler for me...filter program a lot simpler for me... Data Plane Development Kit
  • 23. P4 and peopleP4 and people ➢ P what?P what? ➢ If we were to use DPDK with P4, everyone hadIf we were to use DPDK with P4, everyone had to learn the language :(to learn the language :( Data Plane Development Kit
  • 24. And then came XDPAnd then came XDPreceived packet XDP eBPF alloc_skb ingress (qdisc) bridge check broute brouting bridge check nat prerouting raw prerouting mangle forward nat prerouting bridging decision filter forward filter input routing decision filter forward mangle prerouting mangle forward filter forward mangle forward nat postrouting mangle postrouting mangle postrouting nat postrouting nat postrouting conntrack nat output filter output nat postrouting bdrige netfilter egress (qdisc) other net
  • 25. And then came XDPAnd then came XDP ➢ Extremely fast and closest to the NIC, same asExtremely fast and closest to the NIC, same as DPDKDPDK ➢ Supported by many driversSupported by many drivers ➢ Extendable with eBPF functionsExtendable with eBPF functions ➢ Developed by Jasper BrouerDeveloped by Jasper Brouer eXpress Data Path
  • 26. What I ended up, with?What I ended up, with? ➢ A filter similar to what CF did with their DROP example ➢ instead of a comparing a single prefix, I'm extracting the UDP data if the packet is UDP ➢ then the extracted data is compared with a BPF map ➢ I wrote a simple user space tool, that updates the map in the kernel ➢ voila I had a fast scrubber eXpress Data Path
  • 27. the UDP scrubberthe UDP scrubber ➢ if the DNS request is not for a domain that is within the list in the map I drop the packet ➢ ToDo: add caching of responses with TTL eXpress Data Path
  • 28. the TCP scrubberthe TCP scrubber This is where I had to stop :( ➢ compare the packet's dst port and allow it only if it is: ➢ SYN to a port that is allowed ➢ send and receive SYN cookies here ➢ part of already existing connection by examining its own db of tuples and the supplied by the user space(other VMs) eXpress Data Path
  • 29. the TCP scrubberthe TCP scrubber This is where I had to stop :( ➢ It should handle the SYN cookie for the servers behind and replay the initial SYN if correct SYN,ACK is received eXpress Data Path
  • 30. Testing the bastardTesting the bastard I knew I was able to drop packets fast... But I needed a proof ;) ➢ I had a talk with Jasper at Linux Plumbers 2019I had a talk with Jasper at Linux Plumbers 2019 ➢ He pointed me toHe pointed me to his patched version of pktgenhis patched version of pktgen on GitHub :)on GitHub :)
  • 31. Now...Now... How to get from 10GbpsHow to get from 10Gbps to 200Gbps?to 200Gbps?
  • 32. Now...Now... How to get from 10GbpsHow to get from 10Gbps to 200Gbps?to 200Gbps? ➢ Combining multiple VMs with ECMP ➢ I did that directly on the switch :)
  • 33. LinksLinks How to drop 10 million packets per secondHow to drop 10 million packets per second https://blog.cloudflare.com/how-to-drop-10-million-packets/ https://github.com/cloudflare/cloudflare-blog/tree/master/2018-0 7-dropping-packets XDP tutorialXDP tutorial https://github.com/xdp-project/xdp-tutorial More XDP materials:More XDP materials: https://www.iovisor.org/technology/xdp Enhanced pktgen by JasperEnhanced pktgen by Jasper https://github.com/netoptimizer/network-testing
  • 34. LinksLinks Linux tc and eBPFLinux tc and eBPF https://archive.fosdem.org/2016/schedule/event/ebpf/attachments/s lides/1159/export/events/attachments/ebpf/slides/1159/ebpf.pdf man pagesman pages http://man7.org/linux/man-pages/man8/tc-bpf.8.html http://man7.org/linux/man-pages/man2/bpf.2.html SolarFlare AOR firmware development kitSolarFlare AOR firmware development kit https://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=1585 Data Plane Development KitData Plane Development Kit https://www.dpdk.org/ P4 Language SpecificationP4 Language Specification https://p4.org/p4-spec/docs/P4-16-v1.0.0-spec.pdf P4 meets DPDKP4 meets DPDK https://www.dpdk.org/wp-content/uploads/sites/35/2017/09/DP DK-Userspace2017-Day2-12-SANDOR_LAKI-T4P4S.pdf
  • 35.