|
|
Packet Filtering Using XDP
Mackovič, Jakub ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
Computer systems which must provide their services with a high availability require certain security measures to remain available even when under packet-based network attacks. Unwanted packets must be dropped or mitigated as early as possible and as quickly as possible. This work analyses the eXpress Data Path (XDP) as a technique for early packet dropping and the extended Berkeley Packet Filter (eBPF) as a mechanism for high-speed packet analysis. Examples of current firewalling practices on Linux kernel based systems are observed and a design and the behavioural goals of a system for high-speed packet filtering based on eBPF and XDP are provided. The implementation of the design is then described in detail. Finally, results of several performance tests are presented, showing the XDP solution's performance advatages over contemporary filtering techniques.
|
|
|
Automatická mitigace DDoS útoku
Nagy, Peter ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
Cieľom práce je automatizovaná mitigácia DDoS útokov. Táto práca sa zaoberá prehľadom jednotlivých GNU/Linux systémov používaných na konfiguráciu siete. Cieľom je výber platformy, ktorá môže byť vhodne rozšírená za účelom automatizácie mitigácie DDoS útokov. Súčasťou práce je takisto prehľad jednotlivých typov DDoS útokov. Vybrané mitigačné metódy Remote Triggered Black Hole a BGP Flowspec sú bližšie popísané. Nástroje DDoS Defender a FastNetMon sú používané na detekciu DDoS útokov. Platforma NETX bola vybraná ako implementačná platforma. Komunikácia medzi zariadeniami prebieha pomocou API alebo protokolu BGP s použitím rozšírenia Flowspec.
|
|
|
Zero Copy Packet Processing
Plotěný, Ondřej ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
The aim of this thesis is a design and implementation of a net flow probe for 10GbE traffic. This thesis provides an overview of GNU/Linux utilities used for capture packets at high speeds and its fundamental mechanism. Next chapters introduce design and implementation of zero - copy probe capable to capture 10GbE traffic. The application uses the Express data path (XDP) and its AF_XDP socket to capturing traffic on interface. The test platform is used FIT VUT NETX platform.
|
|
|
NAT64 Performance Evaluation
Pokorný, Jan ; Veselý, Vladimír (oponent) ; Grégr, Matěj (vedoucí práce)
This thesis is focused on the challenges of the transition between IP protocol version 4 and IP protocol version 6. The transition can be solved by many transition mechanisms and this thesis thoroughly describe Stateful NAT64 transition mechanism. The thesis aims to test various implementations of NAT64 and find a suitable implementation for NETX router. The goal is to find an implementation that would achieve traffic throughput of about 10 Gbps. Several NAT64 implementations were evaluated in a testbed environment. Iperf and PF_Ring tools were used for throughput examination. Several different network traffic types have been measured to show the performance impact of each of the tested implementations. The results showed that the most suitable implementation of NAT64 is Jool. Jool reached the required throughput, its development is still active and offers other advanced features, thus Jool was integrated into the NETX router. A command line extension for manipulating Jool instance was designed, implemented and integrated to NETX command line. Additionally, a package distribution process was developed through the RPM package system to fit the NETX build system.The thesis outcome is full support of NAT64 transition mechanism in NETX platform achieving close to 10 Gbps.
|
|
|
NAT64 Performance Evaluation
Pokorný, Jan ; Veselý, Vladimír (oponent) ; Grégr, Matěj (vedoucí práce)
This thesis is focused on the challenges of the transition between IP protocol version 4 and IP protocol version 6. The transition can be solved by many transition mechanisms and this thesis thoroughly describe Stateful NAT64 transition mechanism. The thesis aims to test various implementations of NAT64 and find a suitable implementation for NETX router. The goal is to find an implementation that would achieve traffic throughput of about 10 Gbps. Several NAT64 implementations were evaluated in a testbed environment. Iperf and PF_Ring tools were used for throughput examination. Several different network traffic types have been measured to show the performance impact of each of the tested implementations. The results showed that the most suitable implementation of NAT64 is Jool. Jool reached the required throughput, its development is still active and offers other advanced features, thus Jool was integrated into the NETX router. A command line extension for manipulating Jool instance was designed, implemented and integrated to NETX command line. Additionally, a package distribution process was developed through the RPM package system to fit the NETX build system.The thesis outcome is full support of NAT64 transition mechanism in NETX platform achieving close to 10 Gbps.
|
|
|
Packet Filtering Using XDP
Mackovič, Jakub ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
Computer systems which must provide their services with a high availability require certain security measures to remain available even when under packet-based network attacks. Unwanted packets must be dropped or mitigated as early as possible and as quickly as possible. This work analyses the eXpress Data Path (XDP) as a technique for early packet dropping and the extended Berkeley Packet Filter (eBPF) as a mechanism for high-speed packet analysis. Examples of current firewalling practices on Linux kernel based systems are observed and a design and the behavioural goals of a system for high-speed packet filtering based on eBPF and XDP are provided. The implementation of the design is then described in detail. Finally, results of several performance tests are presented, showing the XDP solution's performance advatages over contemporary filtering techniques.
|
|
|
Zero Copy Packet Processing
Plotěný, Ondřej ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
The aim of this thesis is a design and implementation of a net flow probe for 10GbE traffic. This thesis provides an overview of GNU/Linux utilities used for capture packets at high speeds and its fundamental mechanism. Next chapters introduce design and implementation of zero - copy probe capable to capture 10GbE traffic. The application uses the Express data path (XDP) and its AF_XDP socket to capturing traffic on interface. The test platform is used FIT VUT NETX platform.
|
|
|
Automatická mitigace DDoS útoku
Nagy, Peter ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
Cieľom práce je automatizovaná mitigácia DDoS útokov. Táto práca sa zaoberá prehľadom jednotlivých GNU/Linux systémov používaných na konfiguráciu siete. Cieľom je výber platformy, ktorá môže byť vhodne rozšírená za účelom automatizácie mitigácie DDoS útokov. Súčasťou práce je takisto prehľad jednotlivých typov DDoS útokov. Vybrané mitigačné metódy Remote Triggered Black Hole a BGP Flowspec sú bližšie popísané. Nástroje DDoS Defender a FastNetMon sú používané na detekciu DDoS útokov. Platforma NETX bola vybraná ako implementačná platforma. Komunikácia medzi zariadeniami prebieha pomocou API alebo protokolu BGP s použitím rozšírenia Flowspec.
|
host ::
RSS.