the adventures of a suricate in ebpf land
play

The adventures of a Suricate in eBPF land . Leblond Stamus Networks - PowerPoint PPT Presentation

Dec 10, 2022 •283 likes •848 views

The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 1 / 41 Introduction to Suricata 1 Whats this ? A few words on

  1. The adventures of a Suricate in eBPF land É. Leblond Stamus Networks Oct. 6, 2016 É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 1 / 41

  2. Introduction to Suricata 1 What’s this ? A few words on performance Suricata meets eBPF 2 AF_PACKET Interest of bypass eBPF technology 3 eBPF cluster or the start of the travel 4 eBPF bypass or lost in translation 5 Some results 6 Conclusion 7 É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 1 / 41

  3. What is Suricata IDS and IPS engine Get it here: http://www.suricata-ids.org Open Source (GPLv2) Initially publicly funded, now funded by consortium members Run by Open Information Security Foundation (OISF) More information about OISF at http://www. openinfosecfoundation.org/ É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 2 / 41

  4. Suricata Features High performance, scalable through multi threading Advanced Protocol handling Protocol recognition Protocol analysis: field extraction, filtering keywords Transaction logging in extensible JSON format File identification, extraction, on the fly MD5 calculation HTTP SMTP TLS handshake analysis, detect/prevent things like Diginotar Lua scripting for detection Hardware acceleration support: Endace Napatech, CUDA PF_RING É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 3 / 41

  5. A typical signature example Signature example: Chat facebook a l e r t http $HOME_NET any − > $EXTERNAL_NET any \ ( msg: "ET CHAT Facebook Chat about netdev " ; \ flow : established , to_server ; content : "POST" ; http_method ; \ content : " / ajax / chat / send . php " ; h t t p _ u r i ; content : " facebook .com" ; http_host ; \ content : " netdev " ; http_client_body ; reference : url ,www. emergingthreats . net / cgi − bin / cvsweb . cgi / sigs / POLICY / POLICY_Facebook_Chat ; \ sid :2010784; rev : 4 ; \ ) This signature tests: The HTTP method: POST The page: /ajax/chat/send.php The domain: facebook.com The body content: netdev É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 4 / 41

  6. No passthrough All signatures are inspected Different from a firewall More than 15000 signatures in standard rulesets Optimization on detection engine Tree pre filtering approach to limit the set of signatures to test Multi pattern matching on some buffers É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 5 / 41

  7. CPU intensive É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 6 / 41

  8. Perf top É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 7 / 41

  9. Scalability Bandwith per core is limited From 150Mb/s To 500Mb/s Scaling Using RSS Splitting load on workers É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 8 / 41

  10. Introduction to Suricata 1 What’s this ? A few words on performance Suricata meets eBPF 2 AF_PACKET Interest of bypass eBPF technology 3 eBPF cluster or the start of the travel 4 eBPF bypass or lost in translation 5 Some results 6 Conclusion 7 É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 8 / 41

  11. AF_PACKET Linux raw socket Raw packet capture method Socket based or mmap based É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 9 / 41

  12. AF_PACKET Linux raw socket Raw packet capture method Socket based or mmap based Fanout mode Load balancing over multiple sockets Multiple load balancing functions Flow based CPU based RSS based eBPF based É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 9 / 41

  13. Suricata workers mode É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 10 / 41

  14. Load balancing and hash symmetry Effect of non symmetrical hash Stream reconstruction Using packets sniffed from network to reconstruct TCP stream as seen by remote application Non symmetrical hash break Out of order packets É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 11 / 41

  15. Broken symmetry History T. Herbert introduce asymmetrical hash function in flow Kernel 4.2 Users did start to complain And our quest did begin Fixed in 4.6 and pushed to stable by David S. Miller É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 12 / 41

  16. Broken symmetry History T. Herbert introduce asymmetrical hash function in flow Kernel 4.2 Users did start to complain And our quest did begin Fixed in 4.6 and pushed to stable by David S. Miller Intel NIC RSS hash XL510 hash is not symmetrical XL710 could be symmetrical Hardware is capable Driver does not allow it Patch proposed by Victor Julien É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 12 / 41

  17. eBPF cluster Userspace to the rescue Program your own hash function in userspace Available since Linux 4.3 Developed by Willem de Bruijn Using eBPF infrastructure by Alexei Storovoitov eBPF cinematic Syscall to load the BPF code in kernel Setsockopt to set returned fd as cluster BPF É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 13 / 41

  18. The big flow problem Ring buffer overrun Limited sized ring buffer Overrun cause packets loss that cause streaming malfunction Bypassing big flow Limiting treatment time at maximum Stopping it earlier as possible local bypass: Suricata limit handling capture bypass: interaction with lower layer É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 14 / 41

  19. Stream depth Attacks characteristic In most cases attack is done at start of TCP session Generation of requests prior to attack is not common Multiple requests are often not even possible on same TCP session Stream reassembly depth Suricata reassemble TCP sessions till stream.reassembly.depth bytes. Stream is not analyzed once limit is reached É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 15 / 41

  20. Introducing bypass Principle No need to get packet from kernel after stream depth is reached If there is no file store or other operation Usage Set stream.bypass option to yes in Suricata config file to bypass É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 16 / 41

  21. Selective bypass Ignore some traffic Ignore intensive traffic like Netflix Can be done independently of stream depth Can be done using generic or custom signatures É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 17 / 41

  22. Selective bypass Ignore some traffic Ignore intensive traffic like Netflix Can be done independently of stream depth Can be done using generic or custom signatures The bypass keyword A new bypass signature keyword Trigger bypass when signature match Example of signature a l e r t http any any − > any any ( content : " netdevconf . org " ; \ \ http_host ; bypass ; sid :6666; rev : 1 ; ) É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 17 / 41

  23. Implementation Suricata update Add callback function Capture method register itself and provide a callback Suricata calls callback when it wants to offload É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 18 / 41

  24. Implementation Suricata update Add callback function Capture method register itself and provide a callback Suricata calls callback when it wants to offload Coded for NFQ Update capture register function Written callback function Set a mark with respect to a mask on packet Mark is set on packet when issuing the verdict É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 18 / 41

  25. And now AF_PACKET What’s needed Suricata to tell kernel to ignore flows Kernel system able to Maintain a list of flow entries Discard packets belonging to flows in the list Update from userspace nftables is too late even in ingress É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 19 / 41

  26. And now AF_PACKET What’s needed Suricata to tell kernel to ignore flows Kernel system able to Maintain a list of flow entries Discard packets belonging to flows in the list Update from userspace nftables is too late even in ingress eBPF filter using maps eBPF introduce maps Different data structures Hash, array, . . . Update and fetch from userspace Looks good! É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 19 / 41

  27. Introduction to Suricata 1 What’s this ? A few words on performance Suricata meets eBPF 2 AF_PACKET Interest of bypass eBPF technology 3 eBPF cluster or the start of the travel 4 eBPF bypass or lost in translation 5 Some results 6 Conclusion 7 É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 19 / 41

  28. eBPF usage Handling code Need to generate code Load code Address code from Suricata Interact with code Add elements in hash table Query elements Delete elements É. Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 20 / 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond

The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond

The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 1 / 41 What is Suricata IDS and IPS engine Get it here:

568 views • 41 slides
Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

FOSDEM20 Brussels, 2020-02-01 Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q. Monnet eBPF Update 2/18 eBPF Basics New Features eBPF Universe eBPF Basics Q. Monnet

531 views • 18 slides
eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why eBPF? Target architecture (NFP based NIC) RX Path Flow of eBPF Packet The Flow Processing Core (Fully Programmable) Mapping eBPF -> NFP

668 views • 24 slides
Adventures with LLVM in a magical land where pointers are not integers David Chisnall Approved

Adventures with LLVM in a magical land where pointers are not integers David Chisnall Approved

Adventures with LLVM in a magical land where pointers are not integers David Chisnall Approved for public release; distribution is unlimited. This research is sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force

380 views • 16 slides
eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium project fosdem17, February 4, 2017 Daniel Borkmann eBPF in tcs cls bpf and XDP February 4, 2017 1 / 11 Big Picture: eBPF and Networking eBPF:

476 views • 11 slides
The Adventures of General Practice in Primary Care Land David Wingfield General Practitioner

The Adventures of General Practice in Primary Care Land David Wingfield General Practitioner

The Adventures of General Practice in Primary Care Land David Wingfield General Practitioner Chairman of Hammersmith and Fulham GP Federation Hon Senior Lecturer Imperial College Or . A Hammersmith and Fulham response to a national

577 views • 40 slides
Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

Looking backwards to look forward: Mark Twain and best practice for developing clear and effective content in our globalised, digitally-connected world Dr Stephen Crabbe September 17 th , 2014 The Adventures of Tom Sawyer (1876) Adventures of

437 views • 21 slides
Beyond per-CPU atomics and rseq syscall: subset of eBPF bytecode for the do_on_cpu syscall

Beyond per-CPU atomics and rseq syscall: subset of eBPF bytecode for the do_on_cpu syscall

Linux Plumbers Conference 2019 eBPF conf Beyond per-CPU atomics and rseq syscall: subset of eBPF bytecode for the do_on_cpu syscall mathieu.desnoyers@efcios.com Restartable Sequences (RSEQ) in a nutshell System call registering

457 views • 9 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

612 views • 45 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

429 views • 39 slides
Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal Rostecki Swaminathan Vasudevan Software Engineer Software Engineer mrostecki@suse.com svasudevan@suse.com mrostecki@opensuse.org Whats

2.06k views • 52 slides
Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT, PERFORMANCE The Brief. Extended Berkley Packet Filter (eBPF) is a new Linux feature which allows safe and efficient monitoring of kernel functions.

593 views • 27 slides
Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and

Adventures in Elm GOTO Chicago, 24 May 2016 Adventures in Elm Events, Reproducibility, and Kindness question your principles @jessitron Adventures in Elm Events, Reproducibility, and Kindness Data Data In Out Server UI Everything My

646 views • 39 slides
New (and Exciting!) Developments in Linux Tracing Elena Zannoni (elena.zannoni@oracle.com) Linux

New (and Exciting!) Developments in Linux Tracing Elena Zannoni (elena.zannoni@oracle.com) Linux

<Insert Picture Here> New (and Exciting!) Developments in Linux Tracing Elena Zannoni (elena.zannoni@oracle.com) Linux Engineering, Oracle America Linuxcon Japan 2015 Overview BPF eBPF eBPF main concepts and elements eBPF

601 views • 42 slides
Low-Overhead System Tracing With eBPF Akshay Kapoor DevOps Engineer @ SAP Labs May 2018

Low-Overhead System Tracing With eBPF Akshay Kapoor DevOps Engineer @ SAP Labs May 2018

Low-Overhead System Tracing With eBPF Akshay Kapoor DevOps Engineer @ SAP Labs May 2018 Low-Overhead System Tracing With eBPF Low-Overhead System Tracing With eBPF Low-Overhead System Tracing With eBPF You don't need to know how to operate

632 views • 26 slides
eBPF Perf Tools 2019 ^C @usecs: [256, 512) 2 |

eBPF Perf Tools 2019 ^C @usecs: [256, 512) 2 |

# biolatency.bt Attaching 3 probes... Tracing block device I/O... Hit Ctrl-C to end. eBPF Perf Tools 2019 ^C @usecs: [256, 512) 2 | | [512, 1K) 10 |@

933 views • 39 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner Takeaways Current conventional wisdom on cloud computing is missing the point You cannot

793 views • 37 slides
SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36,

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36,

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36, London, January 2017 Incremental IPv6 deployment in DC IPv4-only IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full

550 views • 15 slides
Challenges in Mining Whole Software Universe Katsuro Inoue Osaka University Software

Challenges in Mining Whole Software Universe Katsuro Inoue Osaka University Software

Challenges in Mining Whole Software Universe Katsuro Inoue Osaka University Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Analyzing Evolution of

450 views • 19 slides
Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual Research Community Marc van Dijk , Andrea Giachetti, Marco Verlato, Antonio Rosato, Alexandre Bonvin EGI Technical Forum 2012 zondag 16 september 12

413 views • 13 slides
Embracing Diversity: OS Support for Integra9ng High- Performance

Embracing Diversity: OS Support for Integra9ng High- Performance

Embracing Diversity: OS Support for Integra9ng High- Performance Compu9ng and Data Analy9cs Ron Brightwell Scalable System SoEware Department Workshop

411 views • 16 slides
regarding network meta-analysis A day with GRADing methods group: Whats new Romina

regarding network meta-analysis A day with GRADing methods group: Whats new Romina

Latest GRADE guidance regarding network meta-analysis A day with GRADing methods group: Whats new Romina Brignardello-Petersen November 19, 2020 Conflicts of interest None financial Member of GRADE working group and lead of GRADE

544 views • 25 slides
Drupal Shibboleth Authentication Ray Saray Ali Karim Andrea Kapitan Server

Drupal Shibboleth Authentication Ray Saray Ali Karim Andrea Kapitan Server

Drupal Shibboleth Authentication Ray Saray Ali Karim Andrea Kapitan Server Tools AWS Docker Shibboleth Service Resources AWS Elastic Beanstalk - for deploying and scaling applications

315 views • 19 slides

More recommend