kernel https tcp ip stack for http ddos mitigation
play

Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander - PowerPoint PPT Presentation

May 27, 2023 •245 likes •740 views

Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies, Inc. ak@tempesta-tech.com Who am I? CEO & CTO at Tempesta Technologies (Seattle, WA) Developing Tempesta FW open source Linux Application

  1. Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies, Inc. ak@tempesta-tech.com

  2. Who am I? CEO & CTO at Tempesta Technologies (Seattle, WA) Developing Tempesta FW – open source Linux Application Delivery Controller (ADC) Custom software development in: ● high performance network traffic processing e.g. WAF mentioned in Gartner magic quadrant ● Databases e.g. MariaDB SQL System Versioning https://github.com/tempesta-tech/mariadb_10.2 https://m17.mariadb.com/session/technical-preview-temporal-queryi ng-asof

  3. HTTPS challenges HTTP(S) is a core protocol for the Internet (IoT, SaaS, Social networks etc.) HTTP(S) DDoS is tricky ● Asymmetric DDoS (compression, TLS handshake etc.) ● A lot of IP addresses with low traffic ● Machine learning is used for clustering ● How to filter out all HTTP requests with ? 8 0 “ H o s t : w w w . e x a m p l e . c o m : ” ● "Lessons From Defending The Indefensible": https://www.youtube.com/watch?v=pCVTEx1ouyk

  4. TCP stream filter IPtables strings , BPF ● HTTP headers can cross packet bounds ● Scan large URI or Cookie for Host value? Web accelerator ● aren’t designed (suitable) for HTTP filtering

  5. IPS vs HTTP DDoS e.g. Suricata, has powerful rules syntax at L3-L7 Not a TCP end point => evasions are possible SSL/TLS SSL terminator is required => many data copies & context switches or double SSL processing (at IDS & at Web server) Double HTTP parsing Doesn’t improve Web server peroformance (mitigation != prevention)

  6. Interbreed an HTTP accelerator and a firewall TCP & TLS end point Very fast HTTP parser to process HTTP floods Network I/O optimized for massive ingress traffic Advanced filtering abilities at all network layers Very fast Web cache to mitigate DDoS which we can’t filter out ● ML takes some time for bots clusterization

  7. Application Delivery Controller (ADC)

  8. Application layer DDoS Service from Cache Rate limit Nginx 22us 23us (Additional logic in limiting module) Fail2Ban : write to the log, parse the log, write to the log, parse the log…

  9. Application layer DDoS Service from Cache Rate limit Nginx 22us 23us (Additional logic in limiting module) Fail2Ban : write to the log , parse the log , write to the log , parse the log … - really in 21th century?! tight integration of Web accelerator and a firewall is needed

  10. Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering etc.

  11. Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc.

  12. Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K

  13. Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of ' ? CASES! G E T / H T T P / 1 . 0 \ n \ n '

  14. Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of ' ? CASES! G E T / H T T P / 1 . 0 \ n \ n ' Kernel-mode Web-accelerators : TUX, kHTTPd ● basically the same sockets and threads ● zero-copy → sendfile(), lazy TLB

  15. Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of ' ? CASES! G E T / H T T P / 1 . 0 \ n \ n ' Kernel-mode Web-accelerators : TUX, kHTTPd ● basically the same sockets and threads ● zero-copy → sendfile(), lazy TLB => not needed

  16. Web-accelerator capabilities Nginx, Varnish, Apache Traffic Server, Squid, Apache HTTPD etc. ● cache static Web-content ● load balancing ● rewrite URLs, ACL, Geo, filtering? etc. ● C10K – is it a problem for bot-net? SSL? CORNER ● what about tons of ' ? CASES! G E T / H T T P / 1 . 0 \ n \ n ' Kernel-mode Web-accelerators : TUX, kHTTPd NEED AGAIN ● basically the same sockets and threads TO MITIGATE ● zero-copy → sendfile(), lazy TLB => not needed HTTPS DDOS

  17. Web-accelerators are slow: SSL/TLS copying User-kernel space copying ● Copy network data to user space ● Encrypt/decrypt it ● Copy the date to kernel for transmission Kernel-mode TLS ● Facebook,RedHat: https://lwn.net/Articles/666509/ ● Netflix: https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf ● TLS handshake is still an issue

  18. Web-accelerators are slow: profile % symbol name 1.5719 ngx_http_parse_header_line 1.0303 ngx_vslprintf 0.6401 memcpy 0.5807 recv 0.5156 ngx_linux_sendfile_chain 0.4990 ngx_http_limit_req_handler => flat profile

  19. Web-accelerators are slow: syscalls epoll_wait (.., {{EPOLLIN, ....}},...) recvfrom (3, "GET / HTTP/1.1\r\nHost:...", ...) write (1, “...limiting requests, excess...", ...) writev (3, "HTTP/1.1 503 Service...", ...) sendfile (3,..., 383) recvfrom (3, ...) = -1 EAGAIN epoll_wait (.., {{EPOLLIN, ....}}, ...) recvfrom (3, "", 1024, 0, NULL, NULL) = 0 close (3)

  20. Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { <= check state case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... } ... }

  21. Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 <= set state } case 2: ... } ... }

  22. Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... } ... <= jump to while }

  23. Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { <= check state case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... } ... }

  24. Web-accelerators are slow: HTTP parser Start: state = 1, *str_ptr = 'b' while (++str_ptr) { switch (state) { case 1: switch (*str_ptr) { case 'a': ... state = 1 case 'b': ... state = 2 } case 2: ... <= do something } ... }

  25. Web-accelerators are slow: HTTP parser

  26. Web-accelerators are slow: strings We have AVX2, but GLIBC doesn’t still use it HTTP strings are special: ● No ‘\0’ -terminatin (if you’re zero-copy) ● Special delimiters ( ‘:’ or CRLF ) ● strcasecmp() : no need case conversion for one string ● strspn() : limited number of accepted alphabets switch() -driven FSM is even worse

  27. Fast HTTP parser http://natsys-lab.blogspot.ru/2014/11/the-fast-finite-state-machine-for- http.html ● 1.6-1.8 times faster than Nginx’s HTTP optimized AVX2 strings processing: http://natsys-lab.blogspot.ru/2016/10/http-strings-processing-using-c- sse42.html ● ~1KB strings: ~x3 faster than GLIBC’s ● s t r n c a s e c m p ( ) ● URI matching ~x6 faster than GLIBC’s s t r s p n ( ) / k for whole softirq shot ● k e r n e l _ f p u _ b e g i n ( ) e r n e l _ f p u _ e n d ( )

  28. Web-accelerators are slow: async I/O

  29. Web-accelerators are slow: async I/O

  30. Web-accelerators are slow: async I/O

  31. Web-accelerators are slow: async I/O Web cache also resides In CPU caches and evicts requests

  32. HTTPS/TCP/IP stack Alternative to user space TCP/IP stacks HTTPS is built into TCP/IP stack Kernel TLS (fork from mbedTLS) – no copying ( 1 human month to port TLS to kernel!) HTTP firewall plus to IPtables and Socket filter Very f ast HTTP parser and strings processing using AVX2 Cache conscious in-memory Web-cache for DDoS mitigation TODO HTTP QoS for asymmetric DDoS mitigation DSL for multi-layer filter rules

  33. Tempesta FW

  34. TODO: HTTP QoS for asymmetric DDoS mitigation https://github.com/tempesta-tech/tempesta/issues/488 “Web2K: Bringing QoS to Web Servers” by Preeti Bhoj et al. Local stress : packet drops, queues overrun, response latency etc ( kernel : cheap statistics for asymmetric DDoS) Upsream stress : r , response time etc. e q _ n u m / r e s p _ n u m Static QoS rules per vhost: HTTP RPS, integration w/ Qdisc - TBD Actions: reduce TCP window, don’t accept new connections, close existing connections

  35. Synchronous sockets: HTTPS/TCP/IP stack Socket callbacks call TLS and HTTP processing Everything is processing in softirq (while the data is hot) No receive & accept queues No file descriptors Less locking

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at Cloudflare London DDoS Mitigation Team Enjoy messing with networking and Linux kernel Agenda Cloudflare DDoS mitigation pipeline Iptables and

802 views • 65 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&amp;D division of Nexusguard building next

764 views • 44 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&amp;A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS &quot;I am getting DoSd&quot; 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Founded in 1998, Staminus Communications provides revolutionary DDoS mitigation services to

Founded in 1998, Staminus Communications provides revolutionary DDoS mitigation services to

Founded in 1998, Staminus Communications provides revolutionary DDoS mitigation services to millions of users and thousands of companies around the globe. Powered by an ever-expanding global network dedicated to DDoS mitigation and multiple

576 views • 9 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam Quanza Engineering C. Dillon, M. Berkelaar OpenFlow DDoS Mitigation Introduction Distributed Denial of Service attacks Types of attacks Application

358 views • 18 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos &amp; https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
Kernel Exploitation via Uninitialized Stack http://people.canonical.com/~kees/defcon19/ Kees

Kernel Exploitation via Uninitialized Stack http://people.canonical.com/~kees/defcon19/ Kees

Kernel Exploitation via Uninitialized Stack http://people.canonical.com/~kees/defcon19/ Kees Cook kees.cook@canonical.com www.canonical.com DefCon 19, August 2011 20 Minutes! introduction quick Linux kernel exploitation basics

549 views • 31 slides
PennREN DDoS Mitigation Service Technical Overview Zach Bare Network Engineer Agenda Why

PennREN DDoS Mitigation Service Technical Overview Zach Bare Network Engineer Agenda Why

PennREN DDoS Mitigation Service Technical Overview Zach Bare Network Engineer Agenda Why use the DDoS Mitigation Service What the service does not do (currently) Understanding traffic flow PennREN member requirements Activating traffic

389 views • 18 slides
Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
DDOS MITIGATION EXPERIENCE 01. About IP ServerOne Founded in 2003 About 52 Employees

DDOS MITIGATION EXPERIENCE 01. About IP ServerOne Founded in 2003 About 52 Employees

DDOS MITIGATION EXPERIENCE 01. About IP ServerOne Founded in 2003 About 52 Employees IP ServerOne Managing over 4500 physical servers Total 150 Racks in 5 data centers across Malaysia and Singapore Contributing 10% of

479 views • 35 slides
A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure

A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure

A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure Cristian Hesselman 1 , Jeroen van der Ham 2 , Roland van Rijswijk 3 , Jair Santanna 2 , Aiko Pras 2 1) SIDN Labs, 2) University of Twente, 3) SURFnet

463 views • 10 slides
Asynchronous I/O Stack: A Low-latency Kernel I/O Stack for Ultra-Low Latency SSDs Jinkyu Jeong

Asynchronous I/O Stack: A Low-latency Kernel I/O Stack for Ultra-Low Latency SSDs Jinkyu Jeong

Asynchronous I/O Stack: A Low-latency Kernel I/O Stack for Ultra-Low Latency SSDs Jinkyu Jeong Sungkyunkwan University (SKKU) Source: Gyusun Lee et al., Asynchronous I/O Stack: A Low-latency Kernel I/O Stack for Ultra-Low Latency SSDs, USENIX

672 views • 48 slides
IT452 Advanced Web and Internet Systems Set 10: Web Servers (operation, configuration, and

IT452 Advanced Web and Internet Systems Set 10: Web Servers (operation, configuration, and

IT452 Advanced Web and Internet Systems Set 10: Web Servers (operation, configuration, and security) (Chapters 21) Key Questions Popular web servers? What does a web server do? How can I control it? URL re-writing /

374 views • 8 slides
Distributed Computation of with Apache Hadoop Tsz-Wo Sze Yahoo! Cloud Computing Apache

Distributed Computation of with Apache Hadoop Tsz-Wo Sze Yahoo! Cloud Computing Apache

Distributed Computation of with Apache Hadoop Tsz-Wo Sze Yahoo! Cloud Computing Apache Hadoop PMC Member Mapred2010 Dec 1 1 Agenda Introduction A New World Record How to Compute The n th Bits of ? Computing with

759 views • 52 slides
BinaryPig: Scalable Binary Data Extraction in Hadoop Created By: Jason Trost, Telvis Calhoun,

BinaryPig: Scalable Binary Data Extraction in Hadoop Created By: Jason Trost, Telvis Calhoun,

BinaryPig: Scalable Binary Data Extraction in Hadoop Created By: Jason Trost, Telvis Calhoun, Zach Hanif Bringing data science to cyber security, allowing you to sense, analyze and act in

804 views • 44 slides
Apache NiFi Better Analytics Demand Better Dataflow Presented by: Joe Witt Apache NiFi PPMC

Apache NiFi Better Analytics Demand Better Dataflow Presented by: Joe Witt Apache NiFi PPMC

Apache NiFi Better Analytics Demand Better Dataflow Presented by: Joe Witt Apache NiFi PPMC Member Apache NiFis job: Enterprise Dataflow Management Automate the flow of data from any source to systems which extract meaning and insight

1.45k views • 18 slides
Apache Solr Injection Michael Stepankin @artsploit DEF CON 27 @whoami Michael Stepankin

Apache Solr Injection Michael Stepankin @artsploit DEF CON 27 @whoami Michael Stepankin

Apache Solr Injection Michael Stepankin @artsploit DEF CON 27 @whoami Michael Stepankin Security Researcher @ Veracode Web app breaker Works on making Dynamic and Static Code Analysis smarter Penetration tester in the

518 views • 41 slides
Apache Spark Dr. Mihail Content derived from: Ankam, Venkat. Big Data Analytics. Packt

Apache Spark Dr. Mihail Content derived from: Ankam, Venkat. Big Data Analytics. Packt

Apache Spark Dr. Mihail Content derived from: Ankam, Venkat. Big Data Analytics. Packt Publishing, 2016. July 9, 2019 (Dr. Mihail ) Intro Big Data July 9, 2019 1 / 8 Apache Spark Why Hadoop and MapReduce have been around for 10 years and

443 views • 9 slides
New Ideas Track: Testing MapReduce-Style Programs Christoph Csallner, Leonidas Fegaras, Chengkai

New Ideas Track: Testing MapReduce-Style Programs Christoph Csallner, Leonidas Fegaras, Chengkai

New Ideas Track: Testing MapReduce-Style Programs Christoph Csallner, Leonidas Fegaras, Chengkai Li Computer Science and Engineering Department University of Texas at Arlington (UTA) European Software Engineering Conference / ACM SIGSOFT

727 views • 19 slides
CSC 369: Distributed Computing Alex Dekhtyar May 6 Day 14: Java Hadoop API CSC 369: Distributed

CSC 369: Distributed Computing Alex Dekhtyar May 6 Day 14: Java Hadoop API CSC 369: Distributed

CSC 369: Distributed Computing Alex Dekhtyar May 6 Day 14: Java Hadoop API CSC 369: Distributed Computing Alex Dekhtyar May 6 Day 14: Java Hadoop API HAPPY EQUATOR DAY! Housekeeping Lab 4 (mini-project): due Sunday night Lab 5: due

611 views • 31 slides

More recommend