FlowSentryX is an open-source XDP-based fast packet processing DOS and DDOS Mitigation Framework solution designed to protect your network infrastructure from Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks at Layer 3 & 4.
Current work is being done for Layer 3 based DOS and DDOS mitigation.
The framework is a collection of XDP programs which track your network traffic and parse packets till the IP layer and make the descision to drop packets from malicious IP addresses using different algorithms and models for DOS and DDOS mitigation.
We also plan to extend the ability BlackList IP addresses and write rules manually from the user space to block certain packets. The rules will be written in the config file which will be read by the xdp program and action will be taken accordingly, hence extending the framework to act as a Basic Firewall.
FlowSentryX is an open-source XDP-based fast packet processing DOS and DDOS Mitigation Framework solution designed to protect your network infrastructure from Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks at Layer 3 & 4.
This framework is a set of xdp programs that attaches to the Linux kernel's XDP hook through (e)BPF for fast packet processing.
The XDP programs parse all the packets in the ingress network traffic till the IP layer and make the descision to drop packets from malicious IP addresses using some Rate Limiting Algorithms like token bucket algorithm, fixed window algorithm and sliding window algorithm for DOS attack mitigation and using the features extracted from the packets and passing them to a trained ML model in the user space for inference of deciding whether that particular IP was involved in the DDOS attack.
DOS and DDOS attacks can disrupt your network, causing downtime and financial losses. Our framework helps you safeguard your infrastructure by efficiently filtering malicious traffic, ensuring your network remains operational.
- Ping of Death
- Flood Attacks
- Buffer overflow Attacks
We plan to extend the framework to an XDP based stateless Firewall, by allowing config files where the user can manually configure parameters such as the Threshold values and the time duration for black listing the IP address for the already existing features. We also plan to add Dynamic Rule Management to Manage dynamic rules and configurations, such as adding or removing IP addresses from the blocklist. This component can communicate with the kernel space to apply or remove rules as needed.
Also we plan to add config files which can be used to blacklist user configured IP's and rules to drop certain packets.
Note: This section is under development.
This section will provide clear instructions on how to install and run the framework. We'll include details on dependencies, installation commands, and sample usage commands. A setup script will be provided to simplify the installation process.
Before installing the framework, make sure you have the following prerequisites installed:
-
List of dependencies (e.g., Linux kernel version, eBPF tools, etc.) Refer to Dependencies. Extracted Information required for Debian or Ubuntu
Need to install
- libxdp
- xdp-tools
- libbpf
- llvm
- clang
- libelf-dev
- libpcap-dev
- build-essential
- sudo apt-get install -y gcc-multilib (On x86_64 PC, the gcc-multilib debian package makes a symbol link at "/usr/include/asm" to "/usr/include/x86_64-linux-gnu". I guess that on the ARM32 system (Raspbian) /usr/include/asm might linked to /usr/include/aarch64-linux-gnu or arm-linux-gnueabihf)
To install the framework on Debian/Ubuntu, follow these steps:
- Clone the repo using the following command:
git clone --recurse-submodules https://github.com/MeherRushi/FlowSentryX.git
- Then, type the following command to go into the repo and install all the dependencies required:
cd FlowSentryX
chmod +x ./install_dependencies.sh
./install_dependencies.sh
Provide guidance on how to use the framework:
-
Command-line options and arguments.
- After installation of the framework. Run the script
-
Configuration files if applicable.
-
Example usage scenarios.
The XDP-based DOS and DDOS Mitigation Framework operates at the network level to detect and mitigate attacks. The architecture involves the following components:
-
Kernel Space Program :
- Packet Parsing - Write programs for parsing the packets and doing the checks.
- Map Creation and updation
- The plan is to create 2 Maps - Rate of Packet Arrival(per sec) per IP, and a normal Black listed IP table.
- The packet arrival per IP per sec table is going to be updated with the count of the packet and then we need to refresh the table every one second for now - The algorithm that is going to be used is the simple Fixed window algorithm.
- We pick the blacklisted to the BlackList IP table and drop the packets for that particular IP.
-
User Space Program :
- Clear the BlackList IP table -
- Read the data from the table and print it in a nice format maybe
- Configuration and Management: In the user space, you can create a management component for configuring the threshold values and maintaining the blocklist. You can use user-level tools or scripts to configure the XDP program parameters.
- Reporting and Logging: Implement logging and reporting mechanisms in user space to monitor the status of your DDoS prevention system. You can store logs, generate alerts, and maintain historical data.
- Dynamic Rules Management: You can create a user space component that communicates with the kernel space to add or remove IP addresses from the blocklist dynamically.
-
eBPF Maps and Datastructures
- We are planning to use BPF_HASH_ARRAY_TYPE map for storing the IP address and the Packet Per second
We plan to implement a static window rate limiting algorithm. This algorithm tracks incoming packets and allows legitimate traffic while limiting excessive traffic from potential attackers.
We plan to implement a static window rate limiting algorithm. This algorithm tracks incoming packets and allows legitimate traffic while limiting excessive traffic from potential attackers.
We plan to implement a static window rate limiting algorithm. This algorithm tracks incoming packets and allows legitimate traffic while limiting excessive traffic from potential attackers.
- Learning eBPF and XDP Repository: This repository provided valuable insights into the technologies used in this project.
References and Literature Survey
- Beginner/Intermediate/Adv Intro to eBPF by Bredan Greg : https://www.brendangregg.com/blog/2019-01-01/learn-ebpf-tracing.html
- Basic Firewall building program : https://arthurchiao.art/blog/firewalling-with-bpf-xdp/#11-bpfxdp-in-a-nutshell
- IEEE executive project Network Monitoring with eBPF : https://github.com/advaithcurpod/network-monitoring-eBPF
- Theory Programming Kernel with eBPF: https://www.kerno.io/blog/programming-the-kernel-with-ebpf
- Art of writing eBPF code : https://sysdig.com/blog/the-art-of-writing-ebpf-programs-a-primer/
- Amazing repo which is a collection of a lot of other references : https://github.com/zoidbergwill/awesome-ebpf#tutorials
- Resource List : https://qmonnet.github.io/whirl-offload/2016/09/01/dive-into-bpf/
- Bredan Greg Blogs/books : https://www.brendangregg.com/blog/2019-01-01/learn-ebpf-tracing.html
- https://www.brendangregg.com/bpf-performance-tools-book.html
- https://www.brendangregg.com/systems-performance-2nd-edition-book.html
- Iovisor bcc fundamentals : https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md
- XDP tutorial : https://github.com/xdp-project/xdp-tutorial/tree/master/basic01-xdp-pass
- BPF Internals : https://www.usenix.org/conference/lisa21/presentation/gregg-bpf
- Linux Torvalds repo bpf samples : https://github.com/torvalds/linux/tree/v4.20/samples/bpf
- Cilium Docs : https://docs.cilium.io/en/latest/bpf/
- Kernel.org documentation : https://www.kernel.org/doc/html/latest/bpf/index.html
Some Important papers:
- Fast Packet Processing with eBPF and XDP: Concepts, Code, Challenges, and Applications: (Main reference Paper) https://www.researchgate.net/publication/339084847_Fast_Packet_Processing_with_eBPF_and_XDP_Concepts_Code_Challenges_and_Applications
- A flow-based IDS using Machine Learning in eBPF (Reference for the ML part)
- CICIDS2017 dataset
- XDP in practice: integrating XDP into our DDoS mitigation pipeline:
Some related technologies and tools
- eBPF Summit : https://ebpf.io/applications/
- Once again: Amazing repo which is a collection of a lot of other references : https://github.com/zoidbergwill/awesome-ebpf#tutorials
- Cilium : https://github.com/cilium/cilium
Some other resources
-
Basic Intro eBPF for complete beginners : https://www.youtube.com/watch?v=J_EehoXLbIU&ab_channel=Computerphile
-
NetDev XDP talk : https://www.youtube.com/watch?v=iBkR4gvjxtE&ab_channel=netdevconf
-
Linux-kernel-observability-ebpf https://sematext.com/blog/linux-kernel-observability-ebpf/
-
Ebpf-and-xdp-for-processing-packets-at-bare-metal-speed: https://sematext.com/blog/ebpf-and-xdp-for-processing-packets-at-bare-metal-speed/
-
Cilium : https://medium.com/@luishrsoares/getting-started-with-cilium-ebpf-778d00c113aa
-
Hooking : https://en.wikipedia.org/wiki/Hooking
-
eBPF.io : https://ebpf.io/what-is-ebpf/#development-toolchains
References from others:
- https://www.youtube.com/watch?v=iBkR4gvjxtE
- https://blog.yadutaf.fr/2017/07/28/tracing-a-packet-journey-using-linux-tracepoints-perf-ebpf/
- https://www.collabora.com/news-and-blog/blog/2019/04/05/an-ebpf-overview-part-1-introduction/
- https://stackoverflow.com/questions/67553794/what-is-variable-attribute-sec-means
- https://bpietraga.me/experiments-with-writing-c-ebpf-code/
- https://blogs.igalia.com/dpino/2019/01/10/the-express-data-path/
- www.tigera.io%2Flearn%2Fguides%2Febpf%2Febpf-xdp%2F
- https://www.redhat.com/en/blog/using-express-data-path-xdp-red-hat-enterprise-linux-8
- https://stackoverflow.com/questions/55436213/how-can-i-get-the-bpf-helpers-h-header-file-for-my-linux-kernel
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/network-tracing-using-the-bpf-compiler-collection_configuring-and-managing-networking
- https://dev.to/satrobit/absolute-beginner-s-guide-to-bcc-xdp-and-ebpf-47oi
- https://www.mcorbin.fr/pages/xdp-introduction/
References regarding DOS
Some cloudfare tools for reference:
- xdpcap - tcmdump with xdp packet filter
- Rakelimit - UDP Packet filter - Blog - has other links
- Rakelimit - Github Repo
- To be added
Some more papers and Articles:
- Signature based DDOS prevention in xdp
- Signature-Based DDoS Attack Mitigation: Automated Generating Rules for Extended Berkeley Packet Filter and Express Data Path
- DoS and DDoS mitigations with eBPF, XDP and DPDK
Some repo's :
Rate Limiting Blogs:
This project is currently in the development phase. We are actively working on building the framework and welcome contributions from the open-source community.
If you'd like to contribute to the project, please follow these steps:
- Fork the repository.
- Create a new branch for your feature or bug fix.
- Make your changes and submit a pull request.
This project is licensed under the MIT License.
If you have any questions, suggestions, or would like to collaborate, please feel free to contact us at MeherRushi-Email.
We'd like to thank the open-source community for their support and contributions to this project.