Mitigating DDoS attacks on virtualized environments using eBPF and XDP

This research was created in collaboration with:
University of Amsterdam SUE Logo
Back to overview

Download research

* required

By downloading you indicate that you have taken note of our privacy Statement.

In collaboration with University of Amsterdam

This research evaluates the use of eBPF and XDP to mitigate DDoS attacks in virtualized cloud environments, assessing their readiness for real-world deployment and potential for high-performance packet processing.

Mitigating DDoS attacks on virtualized environments using eBPF and XDP

A DDoS attack is a common method used by attackers to disrupt computer infrastructure. In such an attack, a distributed set of computers sends network traffic to a single victim. When enough computers participate in the attack, the victim may be overwhelmed by the incoming traffic and become unable to handle it. As a result, legitimate traffic is no longer properly processed because the victim is overloaded. A key metric in this context is how many incoming packets per second (pps) the system can handle before it starts dropping packets. Different packet processing strategies exist, each with its own advantages and disadvantages.

This research aimed to investigate whether eBPF/XDP can be used to mitigate incoming DDoS attacks in cloud environments.

Cloud Environments and Virtualization

Cloud refers to servers managed by a third party, allowing businesses to rent resources instead of operating a local data center. The third-party provider is responsible for managing and maintaining the servers for the paying customers. Virtualization is commonly used in cloud environments to separate customers and allocate resources more efficiently.

Virtualized environments require specific optimizations to ensure optimal speed and throughput for the guest operating system (OS). One such optimization is VirtIO, a standard for network and disk drivers that are aware of their virtualized nature. This technique, known as para-virtualization, improves speed and throughput by modifying the drivers to function optimally within a virtualized environment.

eBPF and XDP for High-Performance Packet Processing

When a program runs on a computer, it often needs to perform actions on hardware, such as writing to a storage medium or receiving network packets. The Linux kernel handles these hardware requests, known as system calls. System calls introduce load on the system, reducing its overall performance.

eBPF, the extended Berkeley Packet Filter, allows programs to run at the kernel level without modifying the Linux kernel’s source code. This improves performance because programs running as eBPF programs can access hardware directly without requiring system call interruptions.

However, running an eBPF program alone is insufficient for high-performance packet processing. XDP (eXpress Data Path) enhances eBPF by adding a hook into the Network Interface Card (NIC) driver. This allows packets to be processed directly by the eBPF program as soon as they are received by the NIC, bypassing the kernel’s network stack. This direct interaction significantly improves packet processing speed.

Relevance to DDoS Mitigation in Virtualized Environments

As DDoS attack sizes continue to grow, infrastructure must handle an increasing number of packets to drop malicious traffic effectively. eBPF combined with XDP is a proven technique that enables systems to process significantly more packets compared to traditional Linux kernel-based packet processing. Organizations providing infrastructure, such as Internet Service Providers (ISPs) and server providers, are increasingly adopting cloud environments, which involve a high degree of virtualization. However, limited research has been conducted on whether eBPF and XDP can be effectively applied to mitigate DDoS attacks in virtualized cloud environments.

This research aimed to investigate whether eBPF and XDP are suitable for deployment in virtualized environments to enhance performance and mitigate DDoS attacks. Specifically, it explored whether the technology is ready for real-world implementation and practical use.

Share this:
Table of contents

Related resources

In collaboration with University of Amsterdam

eBPF Forensic Tools Comparative Study

Although eBPF has many advantages, it is also exploitable for malicious adversaries. It is of great importance for security reasons to be able to detect attacks that make use of this technology.
Expertise: Cloud Security
Read more
In collaboration with University of Amsterdam

Analysis of the Security Posture of eBPF

An exciting, new feature of the Linux kernel is eBPF. It allows users to to hook programs to many places in the Linux kernel at run-time. In order to evaluate this program suite, we created a framework that executes the emulated malware programs while the eBPF programs are hooked in the system.
Expertise: Cloud Security
Read more
In collaboration with University of Amsterdam

Leveraging eBPF to Build Effective High-Interaction Honeypots

In current times, people and businesses make great use of interconnected information systems (the Internet). This is not without risk, however, as a large portion of individuals and organizations are affected by cyberattacks yearly.
Expertise: Cloud Security
Read more
Privacy Overview
This website uses cookies. We use cookies to ensure the proper functioning of our website and services, to analyze how visitors interact with us, and to improve our products and marketing strategies. For more information, please consult our privacy- en cookiebeleid.