Analysis of the Security Posture of eBPF
A DDoS attack is a type of attack commonly used by attackers to try to bring down computer infrastructure. The attack involves a distributed set of computers sending network traffic to a victim. If enough computers send data to a victim, the victim may not be able to handle all the traffic sent to it. The result of the attack is that legitimate traffic is no longer properly handled by the victim because it is overloaded. An important metric in this is how many incoming packets per second (pps) the machine can handle before it has to drop packets. Different packet processing strategies exist, each with their pros and cons. This research aims to investigate whether eBPF/XDP can be used to mitigate incoming DDoS attacks on cloud environments.
Cloud is a popular term for servers that are managed by a third party. Businesses no longer have to worry about operating a small, local data center within their business. Instead, servers can be rented from a third party, and the third party is responsible for providing the server to the business that pays for the resource. A technique that is commonly used in combination with cloud is virtualization. Cloud operators provide virtualized environments to separate their customers and to assign their resources more efficiently.
Virtualized environments require special optimizations to provide optimal speed and throughput to the guest operating system (OS). One way to achieve this speed and throughput is through the use of VirtIO. VirtIO is a standard for network and disk drivers that are aware that they are virtualized. This method is also described as para-virtualization. By modifying the network and disk drivers and making them aware that they exist in a virtualized environment, higher speeds and throughput can be achieved.
When a program is running on a computer, sometimes actions on the hardware must be performed. Examples of this are writing something to a storage medium or receiving a packet through a network interface. The Linux kernel is responsible for handling the request that a program makes to the hardware. Hardware requests made by programs are called system calls. System calls put load on the system. If a program can run at kernel level and does not have to ask the kernel to interact with the hardware, more work on the system can be done in the same time frame. eBPF is the improved version of the classic Berkeley Packet Filter (cBPF). eBPF can be used to run programs at the kernel level without changing the source code of the (Linux) kernel. eBPF can be used to run programs that require high performance. Running a program as an eBPF program performs better because the program runs at the kernel level and thus has access to the hardware without the need for an interrupt. Running a program as an eBPF program is not sufficient if the program also requires good packet processing performance. XDP is a technique that allows an eBPF program to perform high-speed packet processing. XDP adds a hook into the Network Interface Card (NIC) driver that immediately redirects packets as they are received on the NIC directly to the eBPF program. Without XDP, packets would first have to go through the kernel before the eBPF program can interact with the received packets. With increasing DDoS attack sizes, infrastructure needs more packet processing capacity to be able to drop malicious traffic. eBPF in combination with XDP is a proven technique that enables a system to process multiple times the number of incoming packets in comparison to legacy packet processing techniques like the Linux kernel. Meanwhile, organizations that provide computer infrastructure such as Internet Service Providers (ISPs) and server providers are increasingly moving to the cloud, which means a high degree of virtualization is being applied. Not much work has been done yet on investigating whether eBPF and XDP can be applied to cloud environments to mitigate an incoming DDoS attack targeted at virtual infrastructure. This research aims to dive into this and investigate whether the technology is ready to be implemented and used in the real world.
The research aims to answer the question of whether eBPF and XDP can be applied to virtualized environments to provide more performance to repel DDoS attacks. In the process of doing so, the following sub questions will be answered.
- How can eBPF and XDP be utilized to create a cloud-oriented, open-source DDoS mitigation tool?
- How can this DDoS impact prevention tool be designed to be compatible with VirtIO drivers, commonly used in cloud providers, when and if employing eBPF and XDP technologies?
- How does the eBPF/XDP tool compare to current tools?
- What challenges and limitations must be addressed when designing and implementing such a cloud-focused tool?
