Analysis of the Security Posture of eBPF

A DDoS attack is a type of attack that is commonly used by attackers to try to bring down computer infrastructure. The attack implies that a distributed set of computers send network traffic to a victim. If enough computers send data to a victim, the victim might not be able to handle all the traffic that is sent to it. The result of the attack is that legitimate traffic is no longer properly handled by the victim because it is overloaded. An important metric in this is how much incoming packets per second (pps) the machine can handle before it has to drop packets. Different packet processing strategies exist each with their pros and cons. This research aims at investigating if eBPF/XDP can be used to mitigate incoming DDoS attacks on cloud environments.

Cloud is a popular term for servers that are managed by a third party. Businesses do not have to worry about operating a small, local data centre inside their business anymore. Instead, servers can be rent from a third party and the third party is responsible for providing the server to the business that pays for the resource. A technique that is commonly used in combination with cloud is virtualization. Cloud operators provide virtualized environments to separate their customers and to more efficiently assign their resources.

Virtualized environments need special optimizations to provide optimal speed and throughput to the guest operating system (OS). A way of achieving this speed and throughput is through the use of VirtIO. VirtIO is a standard for network and disk drivers that are aware that they are virtualized. This method is also described as para-virtualization. By modifying the network and disk drivers and making them aware that they exist in a virtualized environment, higher speeds and throughput can be achieved.

When a program is running on a computer, sometimes actions on the hardware must be performed. Examples of this are writing something to a storage medium or receiving a packet through a network interface. The Linux kernel is responsible for handling the request that a program makes to the hardware. Hardware requests made by programs are called system calls. System calls put load on the system. If a program can run at kernel level and does not have to ask the kernel to interact with the hardware, more work on the system can be done in the same time frame. eBPF is the improved version of the classic Berkely Packet Filter (cBPF). eBPF can be used to run programs at the kernel level without changing the source code of the (Linux) kernel. eBPF can be used to run programs that require high performance. Running a program as an eBPF program performs better because the program runs at the kernel level and thus has access to the hardware without the need for an interrupt. Running a program as an eBPF program is not sufficient if the program also requires good packet processing performance. XDP is a technique that allows an eBPF program to perform high-speed packet processing. XDP adds a hook into the Network Interface Card (NIC) driver that immediately redirects packets as they are received on the NIC directly to the eBPF program. Without XDP, packets would first have to go through the kernel before the eBPF program can interact with the received packets. With increasing DDoS attack sizes infrastructure needs more packet processing capacity to be able to drop malicious traffic. eBPF in combination with XDP is a proven technique which enables a system to process multiple times the number of incoming packets in comparison to legacy packet processing techniques like the Linux kernel. Meanwhile, organizations that provide computer infrastructure such as Internet Service Providers (ISP’s) and server providers are increasingly moving to the cloud, which means a high degree of virtualization is being applied. Not much work has been done yet on investigating if eBPF and XDP can be applied to cloud environments to mitigate an incoming DDoS attack targeted at virtual infrastructure. This research aims to dive into this and investigate if the technology is ready to be implemented and used in the real world. 

The research aims to answer the question if eBPF and XDP can be applied to virtualized environments to provide more performance to repel DDoS-attacks. In the process of doing so, the following sub questions will be answered.

1. How can eBPF and XDP be utilized to create a cloud-oriented, open-source DDoS mitigation tool?
2. How can this DDoS impact prevention tool be designed to be compatible with VirtIO drivers, commonly used in cloud providers, when and if employing eBPF and XDP technologies?
3. How does the eBPF/XDP tool compare against current tools?
4. What challenges and limitations must be addressed when designing and implementing such a cloud-focused tool?