Toward efficient DDoS detection with eBPF

In today’s Internet, IT security is a key component that faces new challenges every day to secure its services. In this regard, network monitoring represents the main point to be able to detect cyber attacks, and, in today’s network infrastructure it is increasingly implemented thanks to NFV (Network Function Virtualization) technology where network services are implemented in pure software. This brings several advantages such as flexibility and cost reduction as these functions can be performed on general purpose hardware. In this context, eBPF (Extended Berkeley Packet Filter) is an excellent technology, suitable for creating network functions for fast packet processing in the Linux kernel. This thesis work was born with the intention of analyzing the advantages, disadvantages and limitations of having a network monitoring using eBPF when it is used to provide the necessary information to a detection algorithm of DDoS attacks, called Lucid. Lucid is able to detect DDoS attacks through Deep Learning techniques, adapted for environments with limited resources. Network monitoring was done using two frameworks that integrate seamlessly with Lucid. The first is Polycube, an open-source project developed at the Politecnico di Torino, which allows the creation of extremely fast network monitoring programs. The second is DeChainy, an open-source framework for creating and distributing network monitoring probes in eBPF. During the thesis work, a number of tests were carried out aimed at obtaining all the information necessary to understand the limits in having a detection algorithm that runs on a single machine, responsible for both the security and forwarding traffic to end users. In addition, we considered creating a distributed version of the attack detection system, where the single instance of detection runs on multiple machines simultaneously, in a parallel way, potentially allowing for resource savings and an increase in attack detection speed.