Adaptive Traffic Monitoring Using eBPF

Abstract

The development of new technologies and their usage has opened new horizons for monitoring and analyzing network traffic. Modern solutions like Extended Berkeley Packet Filter eBPF show clear distinction between conventional and modern techniques, which lead to a more customized and more proficient filtering. Although these technologies play an important role in increasing or decreasing system performance, because these frameworks are entirely operated in the lowest layer of operation system like kernel. The Intrusion Detection/Prevention Systems (IDPS) which are Network based such as Snort and Bro are responsible for passively monitoring the network traffic obtained from the network Terminal Access points. Most of the IDPS are signature based. On large networks, drop rate increases due to limitations in IDPS capturing and packet processing. Large throughput results in overheads and IDPS buffers start to drop packets that can cause serious threats to the network. Mostly IDPS are attacked by Volumetric and Multi Vector attacks to increase bandwidth of the network more than the reception and processing capacity of IDPS, which causes the IDPS to drop packets due to buffer overflows. To overcome this threat, proposed solution iKern uses eBPF and Virtual Network Functions (VNF) for examining and filtering packets at kernel level, before forwarding the packets into userspace, stream inspection is performed at kernel level inside the iKern Engine to detect and drop Volumetric Floods or Multi Vector attacks. iKern detection engine operates by the injected eBPF bytecode from userspace. The proposed system iKern handles Volumetric DDoS attacks using the iKern Detection Engine operating inside the linux kernel. Real-time implementation of the proposed scheme is tested on 1Gbps network and shows significant detection and reduction of Volumetric and Multi Vector floods.