Research On Network Security Application Based On EBPF

With the rapid development of network services,a tool that can efficiently process massive data packets was rapid requested.Berkeley Packet Filter(BPF)has great applied value in Unix/Linux systems.TheBPF first filters the data from the link layer in the kernel of the operating system and then copies the matched data to the application layer.In the past two years,the extended Berkeley Packet Filter(eBPF)has been further extended on the basis of BPF in the instruction set system,system architecture,toolchain suite,etc.,so that eBPF can be applied to more network scenarios.At present,eBPF technology is still developing continuously in the Linux kernel,and its importance in network applications is gradually being concerned by Internet giants,and it has also promoted the development of many related open source projects.Although eBPF has a wide usage cases in the network field,there are still very few Chinese documents related to it.This article is the first Chinese paper to explore the application of eBPF technology to network applications.These contributions are as follows:(1)eBPF is still developing constantly,and new features are constantly being added.By tracking the development history of eBPF,summarizing the technical characteristics of eBPF,and based on a large number of research related to eBPF,the idea of eBPF in network application is obtained.By learning the principle of hidden Markov model and DDo S attack,eBPF lays the theoretical foundation in their respective applications.(2)The intrusion detection system is an important means to ensure network security,and its role is more extensive and complex.The traditional intrusion detection systems include iptables,Snort and Suricata.The system structure is generally divided into the detection part and the traffic cleaning part.At present,it is limited by traditional network equipment.The support effect of such an intrusion prevention system for a cloud platform is not very good.Now using eBPF to quickly filter the advantages of data packets and cooperate with certain detection modes to form an efficient virtual network intrusion detection and defense system EX-v IPS.The detection module of EX-v IPS uses the hidden Markov chain model.Firstly,the parameters of the hidden Markov model are optimized by using the Baum-Welch algorithm by selecting the nine eigenvalues in the access traffic.Then,using the Viterbi algorithm to determine whether the real-time traffic is used to access the system for malicious intentions.The flow cleaning module uses the eBPF and its corresponding components to clean the abnormal flow given by the detection module to ensure the safety of the system.(3)The traditional firewall software iptables,due to the implementation mechanism of the kernel network stack,call a large number of system functions,interrupt processing and other services that hurt system performance when executing commands that are blocked by the administrator.This has led to a serious decline in overall performance.Aiming at the problem that the firewall software iptables has a large performance overhead when blocking DDo S attacks,a system based on eBPF to block certain DDo S attacks is designed.For the DDo S attack generated by the client intentionally discarding the ACK acknowledgment message to the server during the third handshake,the system designed a set of DDo S attacks to detect this type of DDo S attack and monitor the network access in real-time through the monitor program.In the case of adding a suspicious ip access address to the blacklist database.Then,using eBPF and its components,packets from the IP address in the blacklist do not need to enter the traditional network protocol stack to alleviate the pressure of the system to drop access connections.Compared with the traditional firewall software iptables,this scheme has obvious advantages in system performance such as network transmission,CPU usage and memory usage.