Automating Mitigation of Amplification Attacks in NFV Services Repetto, Matteo; Bruno, Gianmarco; Yusupov, Jalolliddin ...
IEEE eTransactions on network and service management,
2022-Sept., 2022-9-00, 20220901, Letnik:
19, Številka:
3
Journal Article
Recenzirano
Odprti dostop
The combination of virtualization techniques with capillary computing and storage resources allows the instantiation of Virtual Network Functions throughout the network infrastructure, which brings ...more agility in the development and operation of network services. Beside forwarding and routing, this can be also used for additional functions, e.g., for security purposes. In this paper, we present a framework to systematically create security analytics for virtualized network services, specifically targeting the detection of cyber-attacks. Our framework largely automates the deployment of security sidecars into existing service templates and their interconnection to an external analytics platform. Notably, it leverages code augmentation techniques to dynamically inject and remove inspection probes without affecting service operation. We describe the implementation of a use case for the detection of DNS amplification attacks in virtualized 5G networks, and provide extensive evaluation of our innovative inspection and detection mechanisms. Our results demonstrate better efficiency with respect to existing network monitoring tools in terms of CPU usage, as well as good accuracy in detecting attacks even with variable traffic patterns.
Leveraging eBPF to Make TCP Path-Aware Jadin, Mathieu; De Coninck, Quentin; Navarre, Louis ...
IEEE eTransactions on network and service management,
2022-Sept., 2022-9-00, 20220901, Letnik:
19, Številka:
3
Journal Article
Recenzirano
The Transmission Control Protocol (TCP) is one of the key Internet protocols. It is used by a broad range of applications. TCP was designed when there was typically a single path between a client and ...a server. Today's networks provide higher path diversity, yet TCP still only uses the single path selected by the network layer. This limits the ability of TCP to react to events such as interdomain failures or highly congested peering links. We propose the TCP Path Changer (TPC), a set of eBPF programs that are incorporated into the Linux TCP/IP stack to make it more agile. To illustrate the benefits of our approach, we first demonstrate that TPC can quickly reroute an ongoing TCP connection around a failure. We then show that TPC can also monitor the round-trip-time of active TCP connections and automatically reroute them if it becomes too high. Our evaluation of TPC in emulated networks evidences the significant performance benefits of a path-aware transport protocol.
The growing interest in agentless and serverless environments for the implementation of virtual/container network functions makes monitoring and inspection of network services challenging tasks. A ...major requirement concerns the agility of deploying security agents at runtime, especially to effectively address emerging and advanced attack patterns. This work investigates a framework leveraging the extended Berkeley Packet Filter to create ad-hoc security layers in virtualized architectures without the need of embedding additional agents. To prove the effectiveness of the approach, we focus on the detection of network covert channels, i.e., hidden/parasitic network conversations difficult to spot with legacy mechanisms. Experimental results demonstrate that different types of covert channels can be revealed with a good accuracy while using limited resources compared to existing cybersecurity tools (i.e., Zeek and libpcap).
Telco stakeholders are developing a deeper understanding of cloud native technologies and adopting them faster than few years ago. It is undeniable that migrating legacy telco applications to ...microservice-based architectures accelerates and facilitates the development of new network services while offering a high level of granularity. However, cloud native raises new operational challenges. In order to achieve an efficient management of network services, new solutions are required to monitor and track widely distributed cloud native network functions while considering their specificity. In this paper, we propose an innovative framework, 5GC-Observer, for the observability of cloud native 5G network services. To the best of our knowledge, no such a solution has been found to date. To achieve its goal, 5GC-Observer relies on the eBPF technology to monitor the network traffic circulating between the 5G core components and report telemetry data. Besides, we leverage a statistical method to detect Quality of Service degradation based on reported telemetry data. Such an approach highlights the richness of the data acquired by our solution and its capability to detect unexpected network-related anomalies. The latter are not detectable through standard observability solutions. Performance evaluation shows that our solution generates low overhead while giving insight into the 5G core system and its internal and external exchanges.
By softwarizing the legacy network functions, Network Function Virtualization (NFV) allows rapid development and deployment of network services as well as simplicity and flexibility in network ...operations and management. Monitoring the performance characteristics of Virtual Network Functions (VNFs), particularly packet processing time, is important to ensure that VNFs are operating correctly with desired performance. This is especially crucial for low-latency network services. In this paper, we present Packet Processing Time Monitoring (PPTMon), a real-time, fine-grained, and end-to-end solution for VNF packet processing time monitoring. PPTMon can provide per-hop monitoring for a single VNF as well as end-to-end monitoring for multiple VNFs in a service function chain. PPTMon allows monitoring in both sampling and continuous fashions. Continuously monitoring every packet may greatly degrade the performance of the VNFs and generate a huge amount of monitoring data. PPTMon's event-filtering algorithm effectively filters out non-important data and reduces the performance overhead. PPTMon processes packets in-stack by embedding timestamp information directly into the packets, thus further reducing the effect on the VNF performance. PPTMon is implemented on top of extended Berkeley Packet Filter (eBPF) - a Linux framework that allows high-speed packet processing. Our experiment results shows that PPTMon can monitor VNF packet processing time with high accuracy and low impact on performance.
eBPF is widely used in Microsoft, Google, and Facebook because it is able to extend kernel without modifying the kernel source code. Nevertheless, vulnerabilities in kernel with eBPF will affect the ...stability and security of information system. Fuzzing has proven to be an effective approach for finding kernel bugs since it requires minimal knowledge about the target. However, two main challenges exist in discovering eBPF logical bugs: generating input that satisfies all eBPF instruction semantic requirements, and detecting the eBPF logical bug states. We remove highly semantically demanding and unnecessary instructions by analyzing the impact of the instructions to obtain a higher verification pass rate to address the first challenge. We also develop a bound-violation indicator to address the second challenge based on our analysis of eBPF logical bug patterns. We manually introduce 10 recently fixed logical bugs in eBPF for evaluation, and the experimental results show that we can effectively find 9 of them, while Syzkaller fails on all of them. In addition, 4 new bugs have been fixed for upstream Linux based on our work, and 3 functional issues have been reported.
Telco players are accelerating their adoption of cloud native technologies. Indeed, the migration of traditional communications applications to microservice-based architectures will facilitate the ...development of new network services while providing a high level of granularity. However, cloud native comes with new operational challenges. Indeed, effective network service management requires novel solutions for fine-grained monitoring and tracking of widely distributed cloud native network functions. In this paper, we put forward 5GC-Observer, our proposed framework for the observability of cloud native 5G network services. 5GC-Observer leverages the eBPF technology to track network traffic circulating between 5G network functions and report telemetry data. This demo makes use of our open-source platform, Towards5GS, to implement a real cloud native 5G network on top of Kubernetes. Finally, we develop a statistical technique which leverages the collected telemetry data to detect 5G end-users' Quality of Service degradation, based on real access network information collected from Orange's gNB (gNodeB) located in Paris-Orly airport.
The heterogeneous requirements imposed by different vertical businesses have motivated a networking paradigm shift in the next generation of mobile networks (beyond 5G and 6G), leading to critical ...operation competitiveness of improved productivity, performance and efficiency. Furthermore, with the global digital revolution, such as Industry 4.0, and a connected world, network virtualisation together with high reliability and high performance communications have become crucial elements for mobile network operators. To minimise the negative effects that could affect critical services, network slicing is widely recognised as a key technology with the objective of meeting the Service-Level Agreements (SLAs) and Key Performance Indicators (KPIs) in future 6G networks. In this context, it is essential to introduce a programmable data plane able to enforce flexible Quality of Service (QoS) commitments, while providing high-performance packet processing and real-time monitoring capabilities. To this end, this paper is focused on designing, prototyping and evaluating a novel framework that leverages a set of hardware-based technologies including eXpress Data Path (XDP), extended Barkeley Packet Filter (eBPF) and Smart Network Interface Cards (SmartNICs) to offload network functionality with the objective of providing high-performance pre-6G front-, mid- and back-haul network communications and thus, decreasing the overhead incurs by the Linux Kernel. The proposed solution is implemented based on bypassing the Linux Kernel and accelerating the communication, while providing network slice control and real-time monitoring capabilities. The main aim of this framework is to ensure network communications in forthcoming 6G infrastructures by guaranteeing 6G KPIs and avoiding system overload. The empirical validation of this solution for Industry 4.0 services as an example use case demonstrates key performance improvements in terms of packet processing as high as about 25Gbps, 20M packet per second, 0% packet loss, 0.1ms of latency and less than 10% load on the CPUs.
Modern computers’ network interface cards (NICs) are undergoing changes in order to handle greater data rates and assist with scaling problems caused by general-purpose CPU technology. The inclusion ...of programmable accelerators to the NIC’s data channel is one of the ongoing improvements that is particularly intriguing since it gives the accelerator the chance to take on a portion of the CPU’s network packet processing duties. Accelerators are frequently developed using platforms like field-programmable gate arrays because packet processing operations have severe latency requirements (FPGAs). When implementing packet processing activities, FPGAs’ gain for through put is the number of data packets being successfully sent per second and latency is the actual time those packets take. However, due to their restricted resources, programming may need to be shared throughout a variety of applications. We provide hXDP, a software solution for FPGAs that targets the Linux eXpress Data Path and performs packet processing functions outlined with the eBPF technology. While maintaining performance on par with top-tier CPUs, hXDP only uses a tiny portion from the field programmable gate arrays, which are semiconductor devices that are based around a matrix of configuration logic blocks (CLB) connected over programmable interconnects. However, we demonstrate that when aiming towards a purpose-built FPGA architecture, many extended Berkeley packet filters (eBPF) allow programmers to use Berkeley packet filter byte code that makes use of certain kernel resources and instruction set architecture, to collocate and even eliminate, with considerably productivity and effectiveness. On an FPGA NIC, we implement hXDP and test its effectiveness using authentic eBPF programmes from the real world. Our version consumes 15% of the FPGA resources and operates at 156.25 MHz. This can constantly change and lead to the act of identification, inspection, extraction, and manipulation so that a network may make more intelligent management decisions.
While container adoption has witnessed significant growth in facilitating the operation of large-scale applications, this increased attention has also attracted adversaries who exploit numerous ...vulnerabilities present in contemporary containers. Unfortunately, existing security solutions largely overlooked the need to restrict container access to the shared host kernel, particularly exhibiting critical limitations in enforcing the least privilege for containers during runtime. Hence, we propose Optimus, an automated and comprehensive system that confines container operations and governs their interactions with the host kernel using an association-based system call filtering. Optimus efficiently identifies the essential system calls required by containers and enhances their security posture by dynamically enforcing the minimal set of system calls for each container during runtime. This is achieved through (1) lightweight system call monitoring leveraging eBPF, (2) system call validation via association analysis, and (3) dynamic system call filtering by adopting covert container renewal. Our evaluation shows that Optimus effectively minimizes the necessary system calls for containers while maintaining their serviceability and operational efficiency during runtime.
