Distributed Denial of Service (DDoS) attacks pose a significant threat to the stability and availability of online services. An effective strategy for mitigating these attacks involves the decentralization of filtering mechanisms, which enhances resilience by distributing the load and reducing single points of failure. However, the deployment of decentralized filters presents challenges in terms of ease of deployment, performance, and scalability. To address these challenges, this study proposes the utilization of extended Berkeley Packet Filter (eBPF) for coding the filters and eHDL for hardware offloading. Our solution leverages the flexibility of eBPF for rapid development and deployment of complex filtering logic, while eHDL facilitates the efficient translation of these filters into hardware configurations capable of operating at the network speed. We demonstrate the effectiveness of our approach by offloading four distinct eBPF-based DDoS prevention applications, including two previously proposed in scholarly literature, and validate the scalability of our system up to 100 Gbps. This proof-of-concept underscores the potential of combining eBPF and eHDL to create robust, scalable, and high-performance DDoS protection architectures.
Rivitti, A., Tulumello, A., Belocchi, G., Bianchi, G. (2024). Decentralizing DDoS protection via efficient hardware offloading. In The 2024 IEEE 25th International Conference on HighPerformance Switching and Routing (HPSR 2024) (pp.49-54). New York : IEEE [10.1109/HPSR62440.2024.10635987].
Decentralizing DDoS protection via efficient hardware offloading
Rivitti A.;Tulumello A.;Belocchi G.;Bianchi G.
2024-01-01
Abstract
Distributed Denial of Service (DDoS) attacks pose a significant threat to the stability and availability of online services. An effective strategy for mitigating these attacks involves the decentralization of filtering mechanisms, which enhances resilience by distributing the load and reducing single points of failure. However, the deployment of decentralized filters presents challenges in terms of ease of deployment, performance, and scalability. To address these challenges, this study proposes the utilization of extended Berkeley Packet Filter (eBPF) for coding the filters and eHDL for hardware offloading. Our solution leverages the flexibility of eBPF for rapid development and deployment of complex filtering logic, while eHDL facilitates the efficient translation of these filters into hardware configurations capable of operating at the network speed. We demonstrate the effectiveness of our approach by offloading four distinct eBPF-based DDoS prevention applications, including two previously proposed in scholarly literature, and validate the scalability of our system up to 100 Gbps. This proof-of-concept underscores the potential of combining eBPF and eHDL to create robust, scalable, and high-performance DDoS protection architectures.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.