The Transmission Control Protocol (TCP) is one of the most important protocols in today’s Internet. It was designed to be extensible for various use cases. A client can propose to use an extension ...over a given TCP connection by sending a TCP option that identifies this extension. In practice, deploying a TCP extension is difficult as the maintainers of client stacks often wait until servers implement a given extension and server maintainers look at clients in the same manner. It often takes several years if not a decade to actually deploy a TCP option widely. Our goal is to support experimenting and deploying new TCP options in a quick, simple, and efficient way. This includes inserting new TCP options at the sender side and parsing them at the receiver side. The implementation and the interface should be simple, generic, and introduce as few changes to the kernel code as possible. In this paper, we focus on the Linux TCP stack since it is one of the most widely used TCP stacks, given its utilization on many servers and Android devices. For this purpose, we leverage the extended Berkeley Packet Filter (eBPF), which is a recently developed in-kernel infrastructure to enable high performance and safe programmability to the Linux kernel space.
Multipath TCP (MPTCP) is a major TCP extension that enables more capabilities and has richer semantics than regular TCP. We implemented a similar methodology in the Linux MPTCP stack to support new use-cases through custom MPTCP options. Moreover, an eBPF-based framework for user-defined path managers is also proposed, given that subflow management is an important task in Multipath TCP.
Although the softwarization of network infrastructures through the use of Software Defined Networking (SDN) and Network Function Virtualization (NFV) has set the foundations of future communication ...architectures, the efficient handling of high throughput traffic while maintaining latency requirements still remains a challenge. In this work, we explore two arising technologies that aim at reducing networking tasks’ latency while dealing with high levels of traffic volume, namely, Programming Protocol-independent Packet Processors (P4) and the extended Berkeley Packet Filter (eBPF). We present a review of the latest advances in the use of both technologies and we provide a discussion on their advantages and disadvantages. As the main contribution of the paper, we showcase an extensive performance evaluation of these technologies under different traffic conditions. To do so, we implement a fast traffic processing network function operating in a real 5G Stand Alone (SA) network. Obtained results confirm, as expected, the high performance attained using dedicated hardware programmed by P4, in contrast to eBPF-based solution’s poorer results while handling similar throughputs. Nevertheless, eBPF allows similar packet-processing times than P4, therefore qualifying it as a perfectly scalable solution on commodity hardware even as a virtual function, which paves the way for the realization of autonomous, flexible and cost-effective next-generation network infrastructures.
Denial of service (DoS) attacks have increasingly exploited vulnerabilities in algorithms or implementation methods in application-layer programs. In this type of attack, called CPU-exhaustion DoS ...attack, a few well-crafted requests may consume a lot of server resources, which is essentially different from traditional volumetric DoS attacks. Due to the lack of recognizable patterns, the traditional network-layer defense mechanism is usually unable to detect such sophisticated DoS attacks. In this article, we propose Coda , a framework for detecting application-layer CPU-exhaustion DoS attacks in containers. Coda monitors the CPU time consumed by each connection and uses statistical methods to detect attacks. It traces system calls and other related information from the container based on Linux eBPF at the host level. Some specific system calls are used to indicate the establishment and closure of the connection, which in turn indicate the start/end of the request processing. After triggering these specific system calls, Coda starts/ends monitoring the CPU time consumed by a connection. An attack can be detected when the CPU time consumed by an attack connection is statistically different from that consumed by a legitimate connection. Coda has the following key advantages. First, it works with programs built in different programming languages. Second, it remains agnostic to the source code of protected programs. Third, it supports monitoring the container and is transparent to the container. Through evaluation of real-world attacks, we demonstrate that Coda can accurately detect ongoing application-layer CPU-exhaustion DoS attacks with low additional overhead.
Traditional network resident functions (e.g., firewalls, network address translation) and middleboxes (caches, load balancers) have moved from purpose-built appliances to softwarebased components. ...However, L2/L3 network functions (NFs) are being implemented on Network Function Virtualization (NFV) platforms that extensively exploit kernel-bypass technology. They often use DPDK for zero-copy delivery and high performance. On the other hand, L4/L7 middleboxes, which have a greater emphasis on functionality, take advantage of a full-fledged kernelbased system. L2/L3 NFs and L4/L7 middleboxes continue to be handled by distinct platforms on different nodes. This paper proposes MiddleNet that develops a unified network resident function framework that supports L2/L3 NFs and L4/L7 middleboxes. MiddleNet supports function chains that are essential in both NFV and middlebox environments. MiddleNet uses the Data Plane Development Kit (DPDK) library for zero-copy packet delivery without interrupt-based processing, to enable the 'bumpin-the-wire' L2/L3 processing performance required of NFV. To support L4/L7 middlebox functionality, MiddleNet utilizes a consolidated, kernel-based protocol stack for processing, avoiding a dedicated protocol stack for each function. MiddleNet fully exploits the event-driven capabilities of the extended Berkeley Packet Filter (eBPF) and seamlessly integrates it with shared memory for high-performance communication in L4/L7 middlebox function chains. The overheads for MiddleNet in L4/L7 are strictly load-proportional, without needing the dedicated CPU cores of DPDK-based approaches. MiddleNet supports flow-dependent packet processing by leveraging Single Root I/O Virtualization (SR-IOV) to dynamically select the packet processing needed (Layers 2 -7). Our experimental results show that MiddleNet achieves high performance in such a unified environment.
Critical systems such as drone control or power grid control applications rely on embedded devices capable of a real-time response. While much research and advancements have been made to implement ...low-latency and real-time characteristics, the security aspect has been left aside. All current real-time operating systems available for industrial embedded devices are implemented in the C programming language, which makes them prone to memory safety issues. As a response to this, Tock, an innovative secure operating system for embedded devices written completely in Rust, has recently appeared. The only downside of Tock is that it lacks the low-latency real-time component. Therefore, the purpose of this research is to leverage the extended Berkeley Packet Filter technology used for efficient network traffic processing and to add the low-latency capability to Tock. The result is a secure low-latency operating system for embedded devices and microcontrollers capable of handling interrupts at latencies as low as 60 µs.
Automating Mitigation of Amplification Attacks in NFV Services Repetto, Matteo; Bruno, Gianmarco; Yusupov, Jalolliddin ...
IEEE eTransactions on network and service management,
2022-Sept., 2022-9-00, 20220901, Letnik:
19, Številka:
3
Journal Article
Recenzirano
Odprti dostop
The combination of virtualization techniques with capillary computing and storage resources allows the instantiation of Virtual Network Functions throughout the network infrastructure, which brings ...more agility in the development and operation of network services. Beside forwarding and routing, this can be also used for additional functions, e.g., for security purposes. In this paper, we present a framework to systematically create security analytics for virtualized network services, specifically targeting the detection of cyber-attacks. Our framework largely automates the deployment of security sidecars into existing service templates and their interconnection to an external analytics platform. Notably, it leverages code augmentation techniques to dynamically inject and remove inspection probes without affecting service operation. We describe the implementation of a use case for the detection of DNS amplification attacks in virtualized 5G networks, and provide extensive evaluation of our innovative inspection and detection mechanisms. Our results demonstrate better efficiency with respect to existing network monitoring tools in terms of CPU usage, as well as good accuracy in detecting attacks even with variable traffic patterns.
Leveraging eBPF to Make TCP Path-Aware Jadin, Mathieu; De Coninck, Quentin; Navarre, Louis ...
IEEE eTransactions on network and service management,
2022-Sept., 2022-9-00, 20220901, Letnik:
19, Številka:
3
Journal Article
Recenzirano
The Transmission Control Protocol (TCP) is one of the key Internet protocols. It is used by a broad range of applications. TCP was designed when there was typically a single path between a client and ...a server. Today's networks provide higher path diversity, yet TCP still only uses the single path selected by the network layer. This limits the ability of TCP to react to events such as interdomain failures or highly congested peering links. We propose the TCP Path Changer (TPC), a set of eBPF programs that are incorporated into the Linux TCP/IP stack to make it more agile. To illustrate the benefits of our approach, we first demonstrate that TPC can quickly reroute an ongoing TCP connection around a failure. We then show that TPC can also monitor the round-trip-time of active TCP connections and automatically reroute them if it becomes too high. Our evaluation of TPC in emulated networks evidences the significant performance benefits of a path-aware transport protocol.
The growing interest in agentless and serverless environments for the implementation of virtual/container network functions makes monitoring and inspection of network services challenging tasks. A ...major requirement concerns the agility of deploying security agents at runtime, especially to effectively address emerging and advanced attack patterns. This work investigates a framework leveraging the extended Berkeley Packet Filter to create ad-hoc security layers in virtualized architectures without the need of embedding additional agents. To prove the effectiveness of the approach, we focus on the detection of network covert channels, i.e., hidden/parasitic network conversations difficult to spot with legacy mechanisms. Experimental results demonstrate that different types of covert channels can be revealed with a good accuracy while using limited resources compared to existing cybersecurity tools (i.e., Zeek and libpcap).
