High-performance software packet processing

Fu, Qiaobin

30 January 2021

In today’s Internet, it is highly desirable to have fast and scalable software packet processing solutions for network applications that run on commodity hardware. The advent of cloud computing drives the continued rapid growth of Internet traffic. Moreover, the development of emerging networking techniques, such as Network Function Virtualization, significantly shapes the need for implementing the network functions in software. Finally, with the advancement of modern platforms as well as software frameworks for packet processing, network applications have potential to process 100+ Gbps network traffic on a single commodity server. Representative frameworks include the Click modular router, the RouteBricks scalable routing architecture, and BUFFALO, the software-based Ethernet switch. Beneath this general-purpose routing and switching functionality lie a broad set of network applications, many of which are handled with custom methods to provide cost-effectiveness and flexibility. This thesis considers two long-standing networking applications, IP lookup and distributed denial-of-service (DDoS) mitigation, and proposes efficient software-based methods drawing from this new perspective. In this thesis, we first introduce several optimization techniques to accelerate network applications by taking advantage of modern CPU features. Then, we explore the IP lookup problem to find the longest matching prefix of an IP address in a set of prefixes. An ideal IP lookup algorithm should achieve small constant IP lookup time, and on-chip memory usage. However, no prior IP lookup algorithm achieves both requirements at the same time. We propose SAIL, a splitting approach to IP lookup, and a suite of algorithms for IP lookup based on SAIL framework. We conducted extensive experiments to evaluate our algorithms, and experimental results show that our SAIL algorithms are much faster than well-known IP lookup algorithms. Next, we switch our focus to DDoS, an attempt to disrupt the legitimate traffic of a victim by sending a flood of Internet traffic from different sources. Our solution is Gatekeeper, the first open-source and deployable DDoS mitigation system. We present a series of optimization techniques, including use of modern platforms, group prefetching, coroutines, and hashing, to accelerate Gatekeeper. Experimental results show that these optimization techniques significantly improve its performance over alternative baseline solutions. / 2022-01-30T00:00:00Z

Computer science

Coroutines

DoS mitigation

Gatekeeper

IP lookup

SAIL

Software packet processing

A study of slow denial of service mitigation tools and solutions deployed in the cloud

Larsson, Niklas, Ågren Josefsson, Fredrik

January 2019

Slow rate Denial of Service (DoS) attacks have been shown to be a very effective way of attacking vulnerable servers while using few resources. This thesis investigates the effectiveness of mitigation tools used for protection against slow DoS attacks, specifically slowheader and slow body. Finally, we propose a service that cloud providers could implement to ensure better protection against slow rate DoS attacks. The tools studied in this thesis are, a Web Application firewall, a reverse proxy using an event-based architecture and Amazon’s Elastic Load Balancing. To gather data a realistic HTTP load script was built that simulated load on the server while using probe requests to gather response time data from the server. The script recorded the impact the attacks had for each server configuration.The results show that it’s hard to protect against slow rate DoS attacks while only using firewalls or load balancers. We found that using a reverse proxy with an event-based architecture was the best way to protect against slow rate DoS attacks and that such a service would allow the customer to use their server of choice while also being protected.

slowloris

slow post

slow body

slow rate DoS

slow rate denail of service attack

DoS attacks

slow rate dos mitigation

apache

nginx

aws

elastic load balancer

Computer Engineering

Datorteknik