suricata and xdp performance with a s like security
play

Suricata and XDP , Performance with a S like Security . Leblond - PowerPoint PPT Presentation

Sep 29, 2023 •176 likes •786 views

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

  1. Suricata and XDP , Performance with a S like Security É. Leblond OISF Nov. 29, 2018 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43

  2. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43

  3. Who am I? Éric Leblond Stamus Networks co-founder Editor of a threat hunting solution including Suricata based appliances Netfilter core team member Really low personal activity nowadays eleblond@oisf.net Long time member of OISF Suricata developer In charge of packet acquisition 1118 commits since 2010 (I like small patches) É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 2 / 43

  4. About the journey Adding bypass feature to Suricata 2 years of development to see less and get more done Using kick ass technologies before their documentation has been written. Figure: Summary of talk objectives É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 3 / 43

  5. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 3 / 43

  6. What it is not ? https://twitter.com/randomuserid/status/1012474246503845888 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 4 / 43

  7. A signature based IDS Key points From individual datagram to detection GPLv2 Get packet per packet Owned by OISF foundation Reconstruct to application layer 10 years old Run detection engine Scalability via multithreading Written in C and Rust Example signature É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 5 / 43

  8. Suricata NSM features Supported protocols Protocol analysis: http, ftp, smtp, tls, ssh smb, dcerpc, dns, nfs, ntp, ftp-data, tftp, ikev2, krb5, dhcp Protocol recognition: imap, msn Log example É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 6 / 43

  9. What it is ? or how to please developers https://twitter.com/randomuserid/status/1012705279098490880 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 7 / 43

  10. File related features File analysis Magic computation and in file data match Checksum computation and file extraction to disk Supported protocols: http, smtp, smb, ftp, nfs Fileinfo example É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 8 / 43

  11. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 8 / 43

  12. Suricata live modes Intrusion Detection System AF_PACKET capture method under Linux Get raw packet from card Do complete analysis Intrusion Prevention System Netfilter with NFQUEUE on Linux Kernel ask userspace for decision on packets É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 9 / 43

  13. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 9 / 43

  14. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 9 / 43

  15. Suricata reconstruction and normalization É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 10 / 43

  16. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 10 / 43

  17. Impact of loosing packets Methodology Use a sample traffic Modify the pcap file to have specified random packet loss Do it 3 times par packet loss Get graph out of that Test data Using a test pcap of 445Mo. Real traffic but lot of malicious behaviors Traffic is a bit old É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 11 / 43

  18. Alert loss by packet loss Some numbers 10% missed alerts with 3% packets loss 50% missed alerts with 25% packets loss É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 12 / 43

  19. The case of file extraction Some numbers 10% failed file extraction with 0.4% packets loss 50% failed file extraction with 5.5% packets loss É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 13 / 43

  20. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 13 / 43

  21. The elephant flow problem (1/2) É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 14 / 43

  22. The elephant flow problem (2/2) Ring buffer overrun Limited sized ring buffer Overrun cause packets loss that cause streaming malfunction Ring size increase Work around Use memory Fail for non burst Dequeue at N Queue at speed N+M É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 15 / 43

  23. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 15 / 43

  24. Stream depth method Attacks characteristic In most cases attack is done at start of TCP session Generation of requests prior to attack is not common Multiple requests are often not even possible on same TCP session Stream reassembly depth Reassembly is done till stream.reassembly.depth bytes. Stream is not analyzed once limit is reached Individual packet continue to be inspected É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 16 / 43

  25. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 16 / 43

  26. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 16 / 43

  27. Introducing bypass Stop packet handling as soon as possible Tag flow as bypassed Maintain table of bypassed flows Discard packet if part of a bypassed flow Bypass method Local bypass: Suricata discard packet after decoding Capture bypass: capture method maintain flow table and discard packets of bypassed flows É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 17 / 43

  28. Bypassing big flow: local bypass É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 18 / 43

  29. Bypassing big flow: capture bypass É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 19 / 43

  30. Implementation Suricata update Add callback function Capture method register itself and provide a callback Suricata calls callback when it wants to offload NFQ bypass in Suricata 3.2 Update capture register function Written callback function Set a mark with respect to a mask on packet Mark is set on packet when issuing the verdict É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 20 / 43

  31. Suricata NFQ and bypass É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 21 / 43

  32. Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet loss impact Elephant flow Work less to get more Suricata Bypass 3 Introducing bypass Bypass strategy Extended Berkeley Packet Filter 4 AF_PACKET bypass 5 eBPF bypass XDP support Conclusion 6 É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 21 / 43

  33. Stream depth bypass Stop all treatment after bypass Go beyond what is currently done Disable individual packet treatment once stream depth is reached Activating stream depth bypass Set stream.bypass to yes in YAML TLS bypass encrypt-handling: bypass É. Leblond (OISF) Suricata and XDP Nov. 29, 2018 22 / 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File ->

1.16k views • 78 slides
BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski

Bro Befriends Suricata 23/09/16 20 : 23 BRO BEFRIENDS SURICATA SURICATA AND BRO FIGHTING MALWARE TOGETHER Created by Michal Purzynski @michalpurzynski / Scripts are here - https://github.com/michalpurzynski

894 views • 47 slides
Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 1 / 43 Eric Leblond a.k.a Regit French Network security expert Free Software

667 views • 47 slides
Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 1 / 52 Eric Leblond a.k.a Regit French Network security expert Free

536 views • 42 slides
Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing

Fuzzing Suricata: Finding Vulnerabilities in Large Projects Sirko Her @golle0x90 1 Fuzzing Suricata : Finding Vulnerabilities in Large Projects Sirko Her Special thanks Robert Haist, DCSO Victor Julien, lead developer suricata,

598 views • 29 slides
Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien

Advances in Suricata Eric Leblond @Regiteric http://home.regit.org/ Victor Julien @inliniac http://www.inliniac.net/ Content of this talk Introduction to Suricata, OISF Eric Leblond will speak about recent

580 views • 47 slides
Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 Netfilter 1 Nftables Tables and chains Rules Suricata

1.09k views • 75 slides
Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 1 / 40 Some word about me Eric Leblond French Previously, co-founder and CTO of EdenWall

2.73k views • 62 slides
Reconciling Performance and Security in High Load Environments Ignat Korchagin @ignatkn $

Reconciling Performance and Security in High Load Environments Ignat Korchagin @ignatkn $

Reconciling Performance and Security in High Load Environments Ignat Korchagin @ignatkn $ whoami Performance and security at Cloudflare Passionate about security and crypto Enjoy low level programming @ignatkn Performance vs

1.45k views • 133 slides
Security Resources, Capabilities and Cultural Values: Links to Security Performance and

Security Resources, Capabilities and Cultural Values: Links to Security Performance and

Security Resources, Capabilities and Cultural Values: Links to Security Performance and Regulatory Compliance WEIS 2012 Juhee Kwon and M. Eric Johnson Tuck School of Business Dartmouth College 1 Healthcare Security Landscape Healthcare

223 views • 18 slides
Improving performance for Improving performance for security enabled web security enabled web

Improving performance for Improving performance for security enabled web security enabled web

Improving performance for Improving performance for security enabled web security enabled web services services - Dr. Colm higeartaigh - Dr. Colm higeartaigh Agenda Introduction to Apache CXF WS-Security in CXF 3.0.0

490 views • 44 slides
Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 .

Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 .

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Suricata IDPS and Linux kernel . Leblond, G. Longo Stamus Networks February 10, 2016 . Leblond, G. Longo (Stamus Networks)

941 views • 46 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Performance and Security Tradeoff Katinka Wolter Bertinoro, June 26, 2010 Table of Contents

Performance and Security Tradeoff Katinka Wolter Bertinoro, June 26, 2010 Table of Contents

Performance and Security Tradeoff Katinka Wolter Bertinoro, June 26, 2010 Table of Contents Introduction Performance Cost of Encryption Performance Evaluation of a Key Distribution Centre Modelling and Quantifying Intrusion Tolerant Systems

1.27k views • 95 slides
Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge, Developer Advocate for Project Calico What prompted the team to add another dataplane to Calico? Calicos Pluggable Dataplane What is eBPF?

312 views • 20 slides
The eXpress Data Path Fast Programmable Packet Processing in the Operating System Kernel Toke

The eXpress Data Path Fast Programmable Packet Processing in the Operating System Kernel Toke

The eXpress Data Path Fast Programmable Packet Processing in the Operating System Kernel Toke Hiland-Jrgensen (Karlstad University) Jesper Dangaard Brouer (Red Hat) Daniel Borkmann (Cilium.io) John Fastabend (Cilium.io) Tom Herbert

738 views • 19 slides
Routing without Flow Control Costas Busch Rensselaer Polytechnic Institute Maurice Herlihy

Routing without Flow Control Costas Busch Rensselaer Polytechnic Institute Maurice Herlihy

Routing without Flow Control Costas Busch Rensselaer Polytechnic Institute Maurice Herlihy Brown University Roger Wattenhofer Microsoft Research 1 The network: n mesh n n n Discrete time Bi-directional links At most one

765 views • 49 slides
In Inno nova vativ tive e Fi Fina nance nce for or SM SMEs Es in C n Chi hina na

In Inno nova vativ tive e Fi Fina nance nce for or SM SMEs Es in C n Chi hina na

In Inno nova vativ tive e Fi Fina nance nce for or SM SMEs Es in C n Chi hina na Xiaochen Zhang Founding Partner, New Development Ventures; Board of Director, American Crowdfunding Professional Association September 21-22, 2016;

239 views • 7 slides
Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox, Troy Hanson, Richard Lethin, Erik Mogus, Jordi Ros-Giralt, Alison Ryan, {cullen, ezick, fox, hanson, lethin, mogus, giralt, ryan}@reservoir.com

710 views • 31 slides
QoS in 5G: Enhancements for Connected Cars 5G V2X Communications Summer School Kings College

QoS in 5G: Enhancements for Connected Cars 5G V2X Communications Summer School Kings College

QoS in 5G: Enhancements for Connected Cars 5G V2X Communications Summer School Kings College London, UK Massimo Condoluci Ericsson Research 2018-06-12 Ericsson Internal | 2018-02-21 Agenda Background on QoS What is QoS? 5G QoS

342 views • 22 slides
Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler <bazsi@balabit.com> www.balabit.com Zorp Has been established in 2000, as the fjrst BalaBit product Code was GPLd right from the start Initial set

590 views • 20 slides
Strategies for Sound Internet Measurement Vern Paxson ICSI Center for Internet Research (ICIR)

Strategies for Sound Internet Measurement Vern Paxson ICSI Center for Internet Research (ICIR)

Strategies for Sound Internet Measurement Vern Paxson ICSI Center for Internet Research (ICIR) International Computer Science Institute Berkeley, CA vern@icir.org October 26, 2004 Disclaimers: There are no new research results in this

673 views • 25 slides

More recommend