University of Twente Student Theses


Signature-Based DDoS Attack Mitigation: Automated Generating Rules for Extended Berkeley Packet Filter and Express Data Path

Wieren, H.D. van (2019) Signature-Based DDoS Attack Mitigation: Automated Generating Rules for Extended Berkeley Packet Filter and Express Data Path.

[img] PDF
Abstract:Distributed Denial of Service (DDoS) attacks are malicious attempts to disrupt a service from the target by overwhelming it by network packets. DDoS attacks are continuously rising in size and diversity. In 2018, Netscout reported a peak of 1.7 Tbps in size [1] and Akamai’s annual report of 2018 [2] states that those spikes are still growing with an increasing growth curve. As an example from the beginning of 2018, with the new memcached attacks, attackers are still finding new ways to perform DDoS attacks. Cloudflare is one of the biggest vendors on the market providing solutions the defend against DDoS attacks. Their defending methods include the filtering of malicious packets by generated rules from attack signatures. The extended Berkeley Packet Filter (eBPF) and eXpress Data Path (XDP) form an important part in those defending methods. With the ability to filter packets at a very high speed, eBPF and XDP prove in existing solutions that it can perform in the fight against DDoS attacks. With eBPF and XDP, malicious packets can be dropped based on rules specified inside the eBPF program. Studies show that eBPF and XDP are tools that are able to drop packets at higher rates than former tools. However those studies only show this with plain packets and not in the case of an actual DDoS attack. Altough eBPF and XDP are open-source, the tools can not directly be used to mitigate DDoS attacks. In practice a network operator has to know how to use this tools and what the implication of different scenarios can be. Therefore, the overall goal of this study is to research how to use eBPF and XDP to mitigate DDoS attacks and to research how effective the tools can be. A DDoS mitigation system is proposed in this study with the use of eBPF and XDP. With this system a network operator is able to drop packets up to a 100% accuracy when deep packet layers are considered. The XDP filter allows higher packet processing speeds than an Iptables filter with the same rules. The contribution of this study is two-fold. It adds new scientific findings on which new studies can build upon and the study can be put in practice by network operators in real network environments.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page