Distributed Denial of Service (DDoS) attacks pose a significant threat to the stability and availability of online services. An effective strategy for mitigating these attacks involves the decentralization of filtering mechanisms, which enhances resilience by distributing the load and reducing single points of failure. However, the deployment of decentralized filters presents challenges in terms of ease of deployment, performance, and scalability. To address these challenges, this study proposes the utilization of extended Berkeley Packet Filter (eBPF) for coding the filters and eHDL for hardware offloading. Our solution leverages the flexibility of eBPF for rapid development and deployment of complex filtering logic, while eHDL facilitates the efficient translation of these filters into hardware configurations capable of operating at the network speed. We demonstrate the effectiveness of our approach by offloading four distinct eBPF-based DDoS prevention applications, including two previously proposed in scholarly literature, and validate the scalability of our system up to 100 Gbps. This proof-of-concept underscores the potential of combining eBPF and eHDL to create robust, scalable, and high-performance DDoS protection architectures.

Rivitti, A., Tulumello, A., Belocchi, G., Bianchi, G. (2024). Decentralizing DDoS protection via efficient hardware offloading. In The 2024 IEEE 25th International Conference on HighPerformance Switching and Routing (HPSR 2024) (pp.49-54). New York : IEEE [10.1109/HPSR62440.2024.10635987].

Decentralizing DDoS protection via efficient hardware offloading

Rivitti A.;Tulumello A.;Belocchi G.;Bianchi G.
2024-01-01

Abstract

Distributed Denial of Service (DDoS) attacks pose a significant threat to the stability and availability of online services. An effective strategy for mitigating these attacks involves the decentralization of filtering mechanisms, which enhances resilience by distributing the load and reducing single points of failure. However, the deployment of decentralized filters presents challenges in terms of ease of deployment, performance, and scalability. To address these challenges, this study proposes the utilization of extended Berkeley Packet Filter (eBPF) for coding the filters and eHDL for hardware offloading. Our solution leverages the flexibility of eBPF for rapid development and deployment of complex filtering logic, while eHDL facilitates the efficient translation of these filters into hardware configurations capable of operating at the network speed. We demonstrate the effectiveness of our approach by offloading four distinct eBPF-based DDoS prevention applications, including two previously proposed in scholarly literature, and validate the scalability of our system up to 100 Gbps. This proof-of-concept underscores the potential of combining eBPF and eHDL to create robust, scalable, and high-performance DDoS protection architectures.
2024 IEEE 25th International Conference on High Performance Switching and Routing (HPSR)
Pisa, Italy
2024
25
Rilevanza internazionale
2024
Settore IINF-03/A - Telecomunicazioni
English
Intervento a convegno
Rivitti, A., Tulumello, A., Belocchi, G., Bianchi, G. (2024). Decentralizing DDoS protection via efficient hardware offloading. In The 2024 IEEE 25th International Conference on HighPerformance Switching and Routing (HPSR 2024) (pp.49-54). New York : IEEE [10.1109/HPSR62440.2024.10635987].
Rivitti, A; Tulumello, A; Belocchi, G; Bianchi, G
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2108/395860
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? 0
social impact