SlideShare a Scribd company logo

DoS and DDoS mitigations with eBPF, XDP and DPDK

Marian Marinov
Marian Marinov

The document compares eBPF, XDP and DPDK for packet inspection. It describes the speaker's experience using these tools to build a virtual machine that can handle 10Gbps of traffic and drop packets to mitigate DDoS attacks. It details how eBPF and XDP were able to achieve higher packet drop rates than iptables or a custom module. While DPDK could drop traffic at line rate, it required specialized hardware and expertise. Ultimately, XDP provided the best balance of performance, driver support and programmability using eBPF to drop millions of packets per second.

1 of 36
Downloaded 37 times
Comparison of  eBPF, XDP and DPDK for packet inspection Marian Marinov <mm@yuhu.biz> Chief System Architect of SiteGround Linux Piter 2019
Who am I?Who am I? ❖❖ Who am I?Who am I? - Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com - Sysadmin since 1996- Sysadmin since 1996 - Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl Workshops, LUG-BG, RailsGirls and othersWorkshops, LUG-BG, RailsGirls and others - Teaching Network Security and Linux- Teaching Network Security and Linux System Administration courses in SofiaSystem Administration courses in Sofia University and SoftUniUniversity and SoftUni
Why do we need this?Why do we need this? Frequency of DoS/DDoS attacks to ourFrequency of DoS/DDoS attacks to our infrastructureinfrastructure ➢ 4-10 Gbps 6-8 times a month4-10 Gbps 6-8 times a month ➢ 10-40 Gbps maybe 2-3 times a month10-40 Gbps maybe 2-3 times a month ➢ 100+ Gbps around 2 times a month100+ Gbps around 2 times a month
More statsMore stats Attacks resulting in service degradation:Attacks resulting in service degradation: ➢ for the past 276 days we had 31 DDoS attacks ➢ some of the months, no attackssome of the months, no attacks ➢ but some months, up to 9but some months, up to 9 ➢ 2019 – 31 attacks2019 – 31 attacks ➢ 2018 – 75 attacks2018 – 75 attacks ➢ 2017 – 69 attacks2017 – 69 attacks ➢ 2016 – 84 attacks2016 – 84 attacks Note: I have manually counted the e-mails. The numbers can be slightly inaccurate.Note: I have manually counted the e-mails. The numbers can be slightly inaccurate.
Most attacks are basicMost attacks are basic ➢ 20k pps toward ISC Bind can consume20k pps toward ISC Bind can consume up to 30 CPU coresup to 30 CPU cores ➢ a child can generate that on its laptop, at homea child can generate that on its laptop, at home
General solutionsGeneral solutions ➢ Buy additional bandwidthBuy additional bandwidth ➢ Buy a very expensive scrubbing deviceBuy a very expensive scrubbing device OROR ➢ Offload this task to other companies, likeOffload this task to other companies, like CloudFlareCloudFlare
Hosted solution issuesHosted solution issues ➢ Not every DataCenter is wiling to invest inNot every DataCenter is wiling to invest in these devicesthese devices ➢ Shared devicesShared devices ➢ Attacks can be larger then the capacity of theAttacks can be larger then the capacity of the devicedevice ➢ Larger attacks almost always result in null routeLarger attacks almost always result in null route ➢ Attacks saturating the uplinks can affect otherAttacks saturating the uplinks can affect other machines in the rack and/or rowmachines in the rack and/or row
Cloud solution issuesCloud solution issues ➢ You have to point your DNS to the serviceYou have to point your DNS to the service providerprovider ➢ Controlling your DNS is now only API basedControlling your DNS is now only API based ➢ Large DNS updates become an issueLarge DNS updates become an issue ➢ Not suitable for hosting companiesNot suitable for hosting companies
Requirements?Requirements? ➢ Build a VM that can handle 10Gbps withBuild a VM that can handle 10Gbps with ~8Mpps~8Mpps ➢ Why a VM?Why a VM? ➢ scrub UDP DNS and NTP trafficscrub UDP DNS and NTP traffic ➢ scrub TCP traffic by implementing SYN cookiesscrub TCP traffic by implementing SYN cookies ➢ scrub all unrelated trafficscrub all unrelated traffic ➢ cache HTTP responses(wishful thinking) :)cache HTTP responses(wishful thinking) :)
Linux Network FlowLinux Network Flow
Linux Network FlowLinux Network Flow
Linux Network FlowLinux Network Flow
Linux Network FlowLinux Network Flowreceived packet XDP eBPF alloc_skb ingress (qdisc) bridge check broute brouting bridge check nat prerouting raw prerouting mangle forward nat prerouting bridging decision filter forward filter input routing decision filter forward mangle prerouting mangle forward filter forward mangle forward nat postrouting mangle postrouting mangle postrouting nat postrouting nat postrouting conntrack nat output filter output nat postrouting bdrige netfilter egress (qdisc) other net
10M packet drop10M packet drop ➢ in 2018 CloudFlare published the article:in 2018 CloudFlare published the article: How to drop 10m packetsHow to drop 10m packets ➢ I confirm their results with a few additions:I confirm their results with a few additions: ➢ iptables can drop at best 2m ppsiptables can drop at best 2m pps Note: with only one entry in the PREROUTING chain of the mangle tableNote: with only one entry in the PREROUTING chain of the mangle table ➢ heaving multiple entries in that chain easilyheaving multiple entries in that chain easily becomes a problembecomes a problem ➢ even if you use ipset with that, you have a bigeven if you use ipset with that, you have a big problem when updating that informationproblem when updating that information
CloudFlare resultsCloudFlare results
CloudFlare results XDPCloudFlare results XDP
10M packet drop10M packet drop ➢ CloudFlare demo code can be found on GitHub
So, how I started?So, how I started? ➢ I already knew about XDPI already knew about XDP ➢ But I decided to be “smart ass” and wrote anBut I decided to be “smart ass” and wrote an iptables module...iptables module... ➢ It could handle between 260k and 280k ppsIt could handle between 260k and 280k pps
Not good enough... eBPFNot good enough... eBPF ➢ I also knew I can use eBPF for that...I also knew I can use eBPF for that... ➢ from the talk of Daniel Borkmann fromfrom the talk of Daniel Borkmann from FOSDEM 2016FOSDEM 2016 ➢ It was better, but not enough...It was better, but not enough... ➢ 320-350k pps drop rate320-350k pps drop rate ➢ with 2000 domains and UDP packet checkingwith 2000 domains and UDP packet checking ➢ no checksums thouno checksums thou
DPDKDPDK ➢ I had previous experience with DPDK ➢ So I ordered one Intel and one SolarFlare NICs ➢ With both I managed to drop anything that was below the 10G limit of the cards ➢ With SolarFlare I even tested uploading code into the NIC it self Data Plane Development Kit
Complex DPDKComplex DPDK ➢ Nobody, except me, was interested in supporting DPDK code ➢ Writing and updating DPDK is not trivial ➢ DPDK required specific HW that may not be available in the DataCenter Data Plane Development Kit
DPDK and P4DPDK and P4 ➢ A friend(Boyan Krosnov) told me about P4A friend(Boyan Krosnov) told me about P4 ➢ P4 made updating the logic and content of theP4 made updating the logic and content of the filter program a lot simpler for me...filter program a lot simpler for me... Data Plane Development Kit
P4 and peopleP4 and people ➢ P what?P what? ➢ If we were to use DPDK with P4, everyone hadIf we were to use DPDK with P4, everyone had to learn the language :(to learn the language :( Data Plane Development Kit
And then came XDPAnd then came XDPreceived packet XDP eBPF alloc_skb ingress (qdisc) bridge check broute brouting bridge check nat prerouting raw prerouting mangle forward nat prerouting bridging decision filter forward filter input routing decision filter forward mangle prerouting mangle forward filter forward mangle forward nat postrouting mangle postrouting mangle postrouting nat postrouting nat postrouting conntrack nat output filter output nat postrouting bdrige netfilter egress (qdisc) other net
And then came XDPAnd then came XDP ➢ Extremely fast and closest to the NIC, same asExtremely fast and closest to the NIC, same as DPDKDPDK ➢ Supported by many driversSupported by many drivers ➢ Extendable with eBPF functionsExtendable with eBPF functions ➢ Developed by Jasper BrouerDeveloped by Jasper Brouer eXpress Data Path
What I ended up, with?What I ended up, with? ➢ A filter similar to what CF did with their DROP example ➢ instead of a comparing a single prefix, I'm extracting the UDP data if the packet is UDP ➢ then the extracted data is compared with a BPF map ➢ I wrote a simple user space tool, that updates the map in the kernel ➢ voila I had a fast scrubber eXpress Data Path
the UDP scrubberthe UDP scrubber ➢ if the DNS request is not for a domain that is within the list in the map I drop the packet ➢ ToDo: add caching of responses with TTL eXpress Data Path
the TCP scrubberthe TCP scrubber This is where I had to stop :( ➢ compare the packet's dst port and allow it only if it is: ➢ SYN to a port that is allowed ➢ send and receive SYN cookies here ➢ part of already existing connection by examining its own db of tuples and the supplied by the user space(other VMs) eXpress Data Path
the TCP scrubberthe TCP scrubber This is where I had to stop :( ➢ It should handle the SYN cookie for the servers behind and replay the initial SYN if correct SYN,ACK is received eXpress Data Path
Testing the bastardTesting the bastard I knew I was able to drop packets fast... But I needed a proof ;) ➢ I had a talk with Jasper at Linux Plumbers 2019I had a talk with Jasper at Linux Plumbers 2019 ➢ He pointed me toHe pointed me to his patched version of pktgenhis patched version of pktgen on GitHub :)on GitHub :)
Now...Now... How to get from 10GbpsHow to get from 10Gbps to 200Gbps?to 200Gbps?
Now...Now... How to get from 10GbpsHow to get from 10Gbps to 200Gbps?to 200Gbps? ➢ Combining multiple VMs with ECMP ➢ I did that directly on the switch :)
LinksLinks How to drop 10 million packets per secondHow to drop 10 million packets per second https://blog.cloudflare.com/how-to-drop-10-million-packets/ https://github.com/cloudflare/cloudflare-blog/tree/master/2018-0 7-dropping-packets XDP tutorialXDP tutorial https://github.com/xdp-project/xdp-tutorial More XDP materials:More XDP materials: https://www.iovisor.org/technology/xdp Enhanced pktgen by JasperEnhanced pktgen by Jasper https://github.com/netoptimizer/network-testing
LinksLinks Linux tc and eBPFLinux tc and eBPF https://archive.fosdem.org/2016/schedule/event/ebpf/attachments/s lides/1159/export/events/attachments/ebpf/slides/1159/ebpf.pdf man pagesman pages http://man7.org/linux/man-pages/man8/tc-bpf.8.html http://man7.org/linux/man-pages/man2/bpf.2.html SolarFlare AOR firmware development kitSolarFlare AOR firmware development kit https://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=1585 Data Plane Development KitData Plane Development Kit https://www.dpdk.org/ P4 Language SpecificationP4 Language Specification https://p4.org/p4-spec/docs/P4-16-v1.0.0-spec.pdf P4 meets DPDKP4 meets DPDK https://www.dpdk.org/wp-content/uploads/sites/35/2017/09/DP DK-Userspace2017-Day2-12-SANDOR_LAKI-T4P4S.pdf
DoS and DDoS mitigations with eBPF, XDP and DPDK
Thank you!Thank you!
Ad

Recommended

eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
RogerColl2
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
Michael Kehoe
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
Brendan Gregg
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観
Yamato Tanaka
 
How to run P4 BMv2
How to run P4 BMv2How to run P4 BMv2
How to run P4 BMv2
Kentaro Ebisawa
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In Deep
Mydbops
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
C4Media
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
Kernel TLV
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
IntelON 2021 Processor Benchmarking
IntelON 2021 Processor BenchmarkingIntelON 2021 Processor Benchmarking
IntelON 2021 Processor Benchmarking
Brendan Gregg
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
Ad

More Related Content

What's hot (20)

BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
Brendan Gregg
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観
Yamato Tanaka
 
How to run P4 BMv2
How to run P4 BMv2How to run P4 BMv2
How to run P4 BMv2
Kentaro Ebisawa
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In Deep
Mydbops
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
C4Media
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
Kernel TLV
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
IntelON 2021 Processor Benchmarking
IntelON 2021 Processor BenchmarkingIntelON 2021 Processor Benchmarking
IntelON 2021 Processor Benchmarking
Brendan Gregg
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
Brendan Gregg
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観ML2/OVN アーキテクチャ概観
ML2/OVN アーキテクチャ概観
Yamato Tanaka
 
How to run P4 BMv2
How to run P4 BMv2How to run P4 BMv2
How to run P4 BMv2
Kentaro Ebisawa
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In Deep
Mydbops
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
C4Media
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
Kernel TLV
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
IntelON 2021 Processor Benchmarking
IntelON 2021 Processor BenchmarkingIntelON 2021 Processor Benchmarking
IntelON 2021 Processor Benchmarking
Brendan Gregg
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 

Similar to DoS and DDoS mitigations with eBPF, XDP and DPDK (20)

Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
oholiab
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"
Faelix Ltd
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
Emin Abdul Azeez
 
Live Transcript Delivery
Live Transcript DeliveryLive Transcript Delivery
Live Transcript Delivery
Grzegorz Kolpuc
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13
Jaime Sánchez
 
[En] IPVS for Docker Containers
[En] IPVS for Docker Containers[En] IPVS for Docker Containers
[En] IPVS for Docker Containers
Andrey Sibirev
 
IPVS for Docker Containers
IPVS for Docker ContainersIPVS for Docker Containers
IPVS for Docker Containers
Bob Sokol
 
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS FabricNFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
ozkan01
 
Deploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise EnvironmentsDeploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise Environments
inovex GmbH
 
Tcpdump
TcpdumpTcpdump
Tcpdump
Sourav Roy
 
COSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxCOSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge Box
Shihta Kuan
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDK
Kernel TLV
 
Netcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army KnifeNetcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army Knife
n|u - The Open Security Community
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
Raghunath G
 
DockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing AureaDockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing Aurea
Łukasz Piątkowski
 
Artillery Duel Network
Artillery Duel NetworkArtillery Duel Network
Artillery Duel Network
Leif Bloomquist
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
oholiab
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"
Faelix Ltd
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
Emin Abdul Azeez
 
Live Transcript Delivery
Live Transcript DeliveryLive Transcript Delivery
Live Transcript Delivery
Grzegorz Kolpuc
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13
Jaime Sánchez
 
[En] IPVS for Docker Containers
[En] IPVS for Docker Containers[En] IPVS for Docker Containers
[En] IPVS for Docker Containers
Andrey Sibirev
 
IPVS for Docker Containers
IPVS for Docker ContainersIPVS for Docker Containers
IPVS for Docker Containers
Bob Sokol
 
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS FabricNFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
NFV SDN Summit March 2014 D1 07 kireeti_kompella Native MPLS Fabric
ozkan01
 
Deploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise EnvironmentsDeploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise Environments
inovex GmbH
 
Tcpdump
TcpdumpTcpdump
Tcpdump
Sourav Roy
 
COSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxCOSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge Box
Shihta Kuan
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDK
Kernel TLV
 
Netcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army KnifeNetcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army Knife
n|u - The Open Security Community
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
Raghunath G
 
DockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing AureaDockerCon EU '17 - Dockerizing Aurea
DockerCon EU '17 - Dockerizing Aurea
Łukasz Piątkowski
 
Artillery Duel Network
Artillery Duel NetworkArtillery Duel Network
Artillery Duel Network
Leif Bloomquist
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
Ad

More from Marian Marinov (20)

How to start and then move forward in IT
How to start and then move forward in ITHow to start and then move forward in IT
How to start and then move forward in IT
Marian Marinov
 
Thinking about highly-available systems and their setup
Thinking about highly-available systems and their setupThinking about highly-available systems and their setup
Thinking about highly-available systems and their setup
Marian Marinov
 
Understanding your memory usage under Linux
Understanding your memory usage under LinuxUnderstanding your memory usage under Linux
Understanding your memory usage under Linux
Marian Marinov
 
How to implement PassKeys in your application
How to implement PassKeys in your applicationHow to implement PassKeys in your application
How to implement PassKeys in your application
Marian Marinov
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
Marian Marinov
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
Marian Marinov
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
Marian Marinov
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
Marian Marinov
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Marian Marinov
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
Marian Marinov
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
Marian Marinov
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
Marian Marinov
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
Marian Marinov
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
Marian Marinov
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
Marian Marinov
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
Marian Marinov
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
Marian Marinov
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
Marian Marinov
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
Marian Marinov
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
Marian Marinov
 
How to start and then move forward in IT
How to start and then move forward in ITHow to start and then move forward in IT
How to start and then move forward in IT
Marian Marinov
 
Thinking about highly-available systems and their setup
Thinking about highly-available systems and their setupThinking about highly-available systems and their setup
Thinking about highly-available systems and their setup
Marian Marinov
 
Understanding your memory usage under Linux
Understanding your memory usage under LinuxUnderstanding your memory usage under Linux
Understanding your memory usage under Linux
Marian Marinov
 
How to implement PassKeys in your application
How to implement PassKeys in your applicationHow to implement PassKeys in your application
How to implement PassKeys in your application
Marian Marinov
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
Marian Marinov
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
Marian Marinov
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
Marian Marinov
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
Marian Marinov
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Marian Marinov
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
Marian Marinov
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
Marian Marinov
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
Marian Marinov
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
Marian Marinov
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
Marian Marinov
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
Marian Marinov
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
Marian Marinov
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
Marian Marinov
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
Marian Marinov
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
Marian Marinov
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
Marian Marinov
 
Ad

Recently uploaded (20)

AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)
Vəhid Gəruslu
 
some basics electrical and electronics knowledge
some basics electrical and electronics knowledgesome basics electrical and electronics knowledge
some basics electrical and electronics knowledge
nguyentrungdo88
 
QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)
rccbatchplant
 
Reagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptxReagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptx
AlejandroOdio
 
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Journal of Soft Computing in Civil Engineering
 
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Journal of Soft Computing in Civil Engineering
 
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdfMAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
ssuser562df4
 
railway wheels, descaling after reheating and before forging
railway wheels, descaling after reheating and before forgingrailway wheels, descaling after reheating and before forging
railway wheels, descaling after reheating and before forging
Javad Kadkhodapour
 
IntroSlides-April-BuildWithAI-VertexAI.pdf
IntroSlides-April-BuildWithAI-VertexAI.pdfIntroSlides-April-BuildWithAI-VertexAI.pdf
IntroSlides-April-BuildWithAI-VertexAI.pdf
Luiz Carneiro
 
Metal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistryMetal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistry
mee23nu
 
Introduction to FLUID MECHANICS & KINEMATICS
Introduction to FLUID MECHANICS & KINEMATICSIntroduction to FLUID MECHANICS & KINEMATICS
Introduction to FLUID MECHANICS & KINEMATICS
narayanaswamygdas
 
new ppt artificial intelligence historyyy
new ppt artificial intelligence historyyynew ppt artificial intelligence historyyy
new ppt artificial intelligence historyyy
PianoPianist
 
Compiler Design_Lexical Analysis phase.pptx
Compiler Design_Lexical Analysis phase.pptxCompiler Design_Lexical Analysis phase.pptx
Compiler Design_Lexical Analysis phase.pptx
RushaliDeshmukh2
 
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptxLidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
RishavKumar530754
 
International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)
samueljackson3773
 
ELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdfELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdf
Shiju Jacob
 
Level 1-Safety.pptx Presentation of Electrical Safety
Level 1-Safety.pptx Presentation of Electrical SafetyLevel 1-Safety.pptx Presentation of Electrical Safety
Level 1-Safety.pptx Presentation of Electrical Safety
JoseAlbertoCariasDel
 
DSP and MV the Color image processing.ppt
DSP and MV the Color image processing.pptDSP and MV the Color image processing.ppt
DSP and MV the Color image processing.ppt
HafizAhamed8
 
introduction to machine learining for beginers
introduction to machine learining for beginersintroduction to machine learining for beginers
introduction to machine learining for beginers
JoydebSheet
 
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
inmishra17121973
 
AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)AI-assisted Software Testing (3-hours tutorial)
AI-assisted Software Testing (3-hours tutorial)
Vəhid Gəruslu
 
some basics electrical and electronics knowledge
some basics electrical and electronics knowledgesome basics electrical and electronics knowledge
some basics electrical and electronics knowledge
nguyentrungdo88
 
QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)QA/QC Manager (Quality management Expert)
QA/QC Manager (Quality management Expert)
rccbatchplant
 
Reagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptxReagent dosing (Bredel) presentation.pptx
Reagent dosing (Bredel) presentation.pptx
AlejandroOdio
 
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Development of MLR, ANN and ANFIS Models for Estimation of PCUs at Different ...
Journal of Soft Computing in Civil Engineering
 
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Structural Response of Reinforced Self-Compacting Concrete Deep Beam Using Fi...
Journal of Soft Computing in Civil Engineering
 
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdfMAQUINARIA MINAS CEMA 6th Edition (1).pdf
MAQUINARIA MINAS CEMA 6th Edition (1).pdf
ssuser562df4
 
railway wheels, descaling after reheating and before forging
railway wheels, descaling after reheating and before forgingrailway wheels, descaling after reheating and before forging
railway wheels, descaling after reheating and before forging
Javad Kadkhodapour
 
IntroSlides-April-BuildWithAI-VertexAI.pdf
IntroSlides-April-BuildWithAI-VertexAI.pdfIntroSlides-April-BuildWithAI-VertexAI.pdf
IntroSlides-April-BuildWithAI-VertexAI.pdf
Luiz Carneiro
 
Metal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistryMetal alkyne complexes.pptx in chemistry
Metal alkyne complexes.pptx in chemistry
mee23nu
 
Introduction to FLUID MECHANICS & KINEMATICS
Introduction to FLUID MECHANICS & KINEMATICSIntroduction to FLUID MECHANICS & KINEMATICS
Introduction to FLUID MECHANICS & KINEMATICS
narayanaswamygdas
 
new ppt artificial intelligence historyyy
new ppt artificial intelligence historyyynew ppt artificial intelligence historyyy
new ppt artificial intelligence historyyy
PianoPianist
 
Compiler Design_Lexical Analysis phase.pptx
Compiler Design_Lexical Analysis phase.pptxCompiler Design_Lexical Analysis phase.pptx
Compiler Design_Lexical Analysis phase.pptx
RushaliDeshmukh2
 
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptxLidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
Lidar for Autonomous Driving, LiDAR Mapping for Driverless Cars.pptx
RishavKumar530754
 
International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)International Journal of Distributed and Parallel systems (IJDPS)
International Journal of Distributed and Parallel systems (IJDPS)
samueljackson3773
 
ELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdfELectronics Boards & Product Testing_Shiju.pdf
ELectronics Boards & Product Testing_Shiju.pdf
Shiju Jacob
 
Level 1-Safety.pptx Presentation of Electrical Safety
Level 1-Safety.pptx Presentation of Electrical SafetyLevel 1-Safety.pptx Presentation of Electrical Safety
Level 1-Safety.pptx Presentation of Electrical Safety
JoseAlbertoCariasDel
 
DSP and MV the Color image processing.ppt
DSP and MV the Color image processing.pptDSP and MV the Color image processing.ppt
DSP and MV the Color image processing.ppt
HafizAhamed8
 
introduction to machine learining for beginers
introduction to machine learining for beginersintroduction to machine learining for beginers
introduction to machine learining for beginers
JoydebSheet
 
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
211421893-M-Tech-CIVIL-Structural-Engineering-pdf.pdf
inmishra17121973
 

DoS and DDoS mitigations with eBPF, XDP and DPDK

  • 2. Who am I?Who am I? ❖❖ Who am I?Who am I? - Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com - Sysadmin since 1996- Sysadmin since 1996 - Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl Workshops, LUG-BG, RailsGirls and othersWorkshops, LUG-BG, RailsGirls and others - Teaching Network Security and Linux- Teaching Network Security and Linux System Administration courses in SofiaSystem Administration courses in Sofia University and SoftUniUniversity and SoftUni
  • 3. Why do we need this?Why do we need this? Frequency of DoS/DDoS attacks to ourFrequency of DoS/DDoS attacks to our infrastructureinfrastructure ➢ 4-10 Gbps 6-8 times a month4-10 Gbps 6-8 times a month ➢ 10-40 Gbps maybe 2-3 times a month10-40 Gbps maybe 2-3 times a month ➢ 100+ Gbps around 2 times a month100+ Gbps around 2 times a month
  • 4. More statsMore stats Attacks resulting in service degradation:Attacks resulting in service degradation: ➢ for the past 276 days we had 31 DDoS attacks ➢ some of the months, no attackssome of the months, no attacks ➢ but some months, up to 9but some months, up to 9 ➢ 2019 – 31 attacks2019 – 31 attacks ➢ 2018 – 75 attacks2018 – 75 attacks ➢ 2017 – 69 attacks2017 – 69 attacks ➢ 2016 – 84 attacks2016 – 84 attacks Note: I have manually counted the e-mails. The numbers can be slightly inaccurate.Note: I have manually counted the e-mails. The numbers can be slightly inaccurate.
  • 5. Most attacks are basicMost attacks are basic ➢ 20k pps toward ISC Bind can consume20k pps toward ISC Bind can consume up to 30 CPU coresup to 30 CPU cores ➢ a child can generate that on its laptop, at homea child can generate that on its laptop, at home
  • 6. General solutionsGeneral solutions ➢ Buy additional bandwidthBuy additional bandwidth ➢ Buy a very expensive scrubbing deviceBuy a very expensive scrubbing device OROR ➢ Offload this task to other companies, likeOffload this task to other companies, like CloudFlareCloudFlare
  • 7. Hosted solution issuesHosted solution issues ➢ Not every DataCenter is wiling to invest inNot every DataCenter is wiling to invest in these devicesthese devices ➢ Shared devicesShared devices ➢ Attacks can be larger then the capacity of theAttacks can be larger then the capacity of the devicedevice ➢ Larger attacks almost always result in null routeLarger attacks almost always result in null route ➢ Attacks saturating the uplinks can affect otherAttacks saturating the uplinks can affect other machines in the rack and/or rowmachines in the rack and/or row
  • 8. Cloud solution issuesCloud solution issues ➢ You have to point your DNS to the serviceYou have to point your DNS to the service providerprovider ➢ Controlling your DNS is now only API basedControlling your DNS is now only API based ➢ Large DNS updates become an issueLarge DNS updates become an issue ➢ Not suitable for hosting companiesNot suitable for hosting companies
  • 9. Requirements?Requirements? ➢ Build a VM that can handle 10Gbps withBuild a VM that can handle 10Gbps with ~8Mpps~8Mpps ➢ Why a VM?Why a VM? ➢ scrub UDP DNS and NTP trafficscrub UDP DNS and NTP traffic ➢ scrub TCP traffic by implementing SYN cookiesscrub TCP traffic by implementing SYN cookies ➢ scrub all unrelated trafficscrub all unrelated traffic ➢ cache HTTP responses(wishful thinking) :)cache HTTP responses(wishful thinking) :)
  • 10. Linux Network FlowLinux Network Flow
  • 11. Linux Network FlowLinux Network Flow
  • 12. Linux Network FlowLinux Network Flow
  • 13. Linux Network FlowLinux Network Flowreceived packet XDP eBPF alloc_skb ingress (qdisc) bridge check broute brouting bridge check nat prerouting raw prerouting mangle forward nat prerouting bridging decision filter forward filter input routing decision filter forward mangle prerouting mangle forward filter forward mangle forward nat postrouting mangle postrouting mangle postrouting nat postrouting nat postrouting conntrack nat output filter output nat postrouting bdrige netfilter egress (qdisc) other net
  • 14. 10M packet drop10M packet drop ➢ in 2018 CloudFlare published the article:in 2018 CloudFlare published the article: How to drop 10m packetsHow to drop 10m packets ➢ I confirm their results with a few additions:I confirm their results with a few additions: ➢ iptables can drop at best 2m ppsiptables can drop at best 2m pps Note: with only one entry in the PREROUTING chain of the mangle tableNote: with only one entry in the PREROUTING chain of the mangle table ➢ heaving multiple entries in that chain easilyheaving multiple entries in that chain easily becomes a problembecomes a problem ➢ even if you use ipset with that, you have a bigeven if you use ipset with that, you have a big problem when updating that informationproblem when updating that information
  • 18. So, how I started?So, how I started? ➢ I already knew about XDPI already knew about XDP ➢ But I decided to be “smart ass” and wrote anBut I decided to be “smart ass” and wrote an iptables module...iptables module... ➢ It could handle between 260k and 280k ppsIt could handle between 260k and 280k pps
  • 19. Not good enough... eBPFNot good enough... eBPF ➢ I also knew I can use eBPF for that...I also knew I can use eBPF for that... ➢ from the talk of Daniel Borkmann fromfrom the talk of Daniel Borkmann from FOSDEM 2016FOSDEM 2016 ➢ It was better, but not enough...It was better, but not enough... ➢ 320-350k pps drop rate320-350k pps drop rate ➢ with 2000 domains and UDP packet checkingwith 2000 domains and UDP packet checking ➢ no checksums thouno checksums thou
  • 20. DPDKDPDK ➢ I had previous experience with DPDK ➢ So I ordered one Intel and one SolarFlare NICs ➢ With both I managed to drop anything that was below the 10G limit of the cards ➢ With SolarFlare I even tested uploading code into the NIC it self Data Plane Development Kit
  • 21. Complex DPDKComplex DPDK ➢ Nobody, except me, was interested in supporting DPDK code ➢ Writing and updating DPDK is not trivial ➢ DPDK required specific HW that may not be available in the DataCenter Data Plane Development Kit
  • 22. DPDK and P4DPDK and P4 ➢ A friend(Boyan Krosnov) told me about P4A friend(Boyan Krosnov) told me about P4 ➢ P4 made updating the logic and content of theP4 made updating the logic and content of the filter program a lot simpler for me...filter program a lot simpler for me... Data Plane Development Kit
  • 23. P4 and peopleP4 and people ➢ P what?P what? ➢ If we were to use DPDK with P4, everyone hadIf we were to use DPDK with P4, everyone had to learn the language :(to learn the language :( Data Plane Development Kit
  • 24. And then came XDPAnd then came XDPreceived packet XDP eBPF alloc_skb ingress (qdisc) bridge check broute brouting bridge check nat prerouting raw prerouting mangle forward nat prerouting bridging decision filter forward filter input routing decision filter forward mangle prerouting mangle forward filter forward mangle forward nat postrouting mangle postrouting mangle postrouting nat postrouting nat postrouting conntrack nat output filter output nat postrouting bdrige netfilter egress (qdisc) other net
  • 25. And then came XDPAnd then came XDP ➢ Extremely fast and closest to the NIC, same asExtremely fast and closest to the NIC, same as DPDKDPDK ➢ Supported by many driversSupported by many drivers ➢ Extendable with eBPF functionsExtendable with eBPF functions ➢ Developed by Jasper BrouerDeveloped by Jasper Brouer eXpress Data Path
  • 26. What I ended up, with?What I ended up, with? ➢ A filter similar to what CF did with their DROP example ➢ instead of a comparing a single prefix, I'm extracting the UDP data if the packet is UDP ➢ then the extracted data is compared with a BPF map ➢ I wrote a simple user space tool, that updates the map in the kernel ➢ voila I had a fast scrubber eXpress Data Path
  • 27. the UDP scrubberthe UDP scrubber ➢ if the DNS request is not for a domain that is within the list in the map I drop the packet ➢ ToDo: add caching of responses with TTL eXpress Data Path
  • 28. the TCP scrubberthe TCP scrubber This is where I had to stop :( ➢ compare the packet's dst port and allow it only if it is: ➢ SYN to a port that is allowed ➢ send and receive SYN cookies here ➢ part of already existing connection by examining its own db of tuples and the supplied by the user space(other VMs) eXpress Data Path
  • 29. the TCP scrubberthe TCP scrubber This is where I had to stop :( ➢ It should handle the SYN cookie for the servers behind and replay the initial SYN if correct SYN,ACK is received eXpress Data Path
  • 30. Testing the bastardTesting the bastard I knew I was able to drop packets fast... But I needed a proof ;) ➢ I had a talk with Jasper at Linux Plumbers 2019I had a talk with Jasper at Linux Plumbers 2019 ➢ He pointed me toHe pointed me to his patched version of pktgenhis patched version of pktgen on GitHub :)on GitHub :)
  • 31. Now...Now... How to get from 10GbpsHow to get from 10Gbps to 200Gbps?to 200Gbps?
  • 32. Now...Now... How to get from 10GbpsHow to get from 10Gbps to 200Gbps?to 200Gbps? ➢ Combining multiple VMs with ECMP ➢ I did that directly on the switch :)
  • 33. LinksLinks How to drop 10 million packets per secondHow to drop 10 million packets per second https://blog.cloudflare.com/how-to-drop-10-million-packets/ https://github.com/cloudflare/cloudflare-blog/tree/master/2018-0 7-dropping-packets XDP tutorialXDP tutorial https://github.com/xdp-project/xdp-tutorial More XDP materials:More XDP materials: https://www.iovisor.org/technology/xdp Enhanced pktgen by JasperEnhanced pktgen by Jasper https://github.com/netoptimizer/network-testing
  • 34. LinksLinks Linux tc and eBPFLinux tc and eBPF https://archive.fosdem.org/2016/schedule/event/ebpf/attachments/s lides/1159/export/events/attachments/ebpf/slides/1159/ebpf.pdf man pagesman pages http://man7.org/linux/man-pages/man8/tc-bpf.8.html http://man7.org/linux/man-pages/man2/bpf.2.html SolarFlare AOR firmware development kitSolarFlare AOR firmware development kit https://www.colfaxdirect.com/store/pc/viewPrd.asp?idproduct=1585 Data Plane Development KitData Plane Development Kit https://www.dpdk.org/ P4 Language SpecificationP4 Language Specification https://p4.org/p4-spec/docs/P4-16-v1.0.0-spec.pdf P4 meets DPDKP4 meets DPDK https://www.dpdk.org/wp-content/uploads/sites/35/2017/09/DP DK-Userspace2017-Day2-12-SANDOR_LAKI-T4P4S.pdf