|
|
Packet Filtering Using XDP
Mackovič, Jakub ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
Computer systems which must provide their services with a high availability require certain security measures to remain available even when under packet-based network attacks. Unwanted packets must be dropped or mitigated as early as possible and as quickly as possible. This work analyses the eXpress Data Path (XDP) as a technique for early packet dropping and the extended Berkeley Packet Filter (eBPF) as a mechanism for high-speed packet analysis. Examples of current firewalling practices on Linux kernel based systems are observed and a design and the behavioural goals of a system for high-speed packet filtering based on eBPF and XDP are provided. The implementation of the design is then described in detail. Finally, results of several performance tests are presented, showing the XDP solution's performance advatages over contemporary filtering techniques.
|
|
|
Monitorování síťového provozu s využitím jazyka P4
Patová, Pavlína ; Matoušek, Jiří (oponent) ; Martínek, Tomáš (vedoucí práce)
Dnes se často setkáváme s potřebou monitorovat kvalitu sítě a služeb. K tomuto účelu může posloužit například INT. Cílem je nalézt optimální platformu a s tím spojený překladač pro implementaci INT, pokusíme se tedy k již implementovaným aplikacím (T4P4S, BMv2) nalézt alternativu. Tyto dvě platformy, ale také zmíníme a rozebereme jejich výhody a nevýhody. Výsledkem práce je přehled možností jednotlivých kompilátorů a výkonu popsaných řešení.
|
|
|
Zero Copy Packet Processing
Plotěný, Ondřej ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
The aim of this thesis is a design and implementation of a net flow probe for 10GbE traffic. This thesis provides an overview of GNU/Linux utilities used for capture packets at high speeds and its fundamental mechanism. Next chapters introduce design and implementation of zero - copy probe capable to capture 10GbE traffic. The application uses the Express data path (XDP) and its AF_XDP socket to capturing traffic on interface. The test platform is used FIT VUT NETX platform.
|
|
|
Optimization of the Suricata IDS/IPS
Šišmiš, Lukáš ; Fukač, Tomáš (oponent) ; Korček, Pavol (vedoucí práce)
The recent rapid increase of network traffic bandwidth has sprung new challenges in securing the network. It is vital to keep monitoring the traffic to securely identify threats in the network. Systems like IDS (intrusion detection systems) alert us about events in the analyzed traffic. Suricata , as one of the available IDS, was chosen for this thesis. The ultimate goal of the thesis is to tune settings of AF_PACKET capture interface to reach the best performance possible and then suggest and implement an optimization for Suricata . Results of the AF_PACKET should be used as a baseline for comparison with future improvements. Optimization is based on implementing a new capture interface to Suricata that is based on Data Plane Development Kit ( DPDK ). DPDK helps to accelerate packet capture and this implies that it might improve the performance of Suricata . Results that compare AF_PACKET and DPDK performance are evaluated at the end of this master thesis.
|
|
|
Monitorování síťového provozu s využitím jazyka P4
Patová, Pavlína ; Matoušek, Jiří (oponent) ; Martínek, Tomáš (vedoucí práce)
Dnes se často setkáváme s potřebou monitorovat kvalitu sítě a služeb. K tomuto účelu může posloužit například INT. Cílem je nalézt optimální platformu a s tím spojený překladač pro implementaci INT, pokusíme se tedy k již implementovaným aplikacím (T4P4S, BMv2) nalézt alternativu. Tyto dvě platformy, ale také zmíníme a rozebereme jejich výhody a nevýhody. Výsledkem práce je přehled možností jednotlivých kompilátorů a výkonu popsaných řešení.
|
|
|
Optimization of the Suricata IDS/IPS
Šišmiš, Lukáš ; Fukač, Tomáš (oponent) ; Korček, Pavol (vedoucí práce)
The recent rapid increase of network traffic bandwidth has sprung new challenges in securing the network. It is vital to keep monitoring the traffic to securely identify threats in the network. Systems like IDS (intrusion detection systems) alert us about events in the analyzed traffic. Suricata , as one of the available IDS, was chosen for this thesis. The ultimate goal of the thesis is to tune settings of AF_PACKET capture interface to reach the best performance possible and then suggest and implement an optimization for Suricata . Results of the AF_PACKET should be used as a baseline for comparison with future improvements. Optimization is based on implementing a new capture interface to Suricata that is based on Data Plane Development Kit ( DPDK ). DPDK helps to accelerate packet capture and this implies that it might improve the performance of Suricata . Results that compare AF_PACKET and DPDK performance are evaluated at the end of this master thesis.
|
|
|
Packet Filtering Using XDP
Mackovič, Jakub ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
Computer systems which must provide their services with a high availability require certain security measures to remain available even when under packet-based network attacks. Unwanted packets must be dropped or mitigated as early as possible and as quickly as possible. This work analyses the eXpress Data Path (XDP) as a technique for early packet dropping and the extended Berkeley Packet Filter (eBPF) as a mechanism for high-speed packet analysis. Examples of current firewalling practices on Linux kernel based systems are observed and a design and the behavioural goals of a system for high-speed packet filtering based on eBPF and XDP are provided. The implementation of the design is then described in detail. Finally, results of several performance tests are presented, showing the XDP solution's performance advatages over contemporary filtering techniques.
|
|
|
Zero Copy Packet Processing
Plotěný, Ondřej ; Podermański, Tomáš (oponent) ; Grégr, Matěj (vedoucí práce)
The aim of this thesis is a design and implementation of a net flow probe for 10GbE traffic. This thesis provides an overview of GNU/Linux utilities used for capture packets at high speeds and its fundamental mechanism. Next chapters introduce design and implementation of zero - copy probe capable to capture 10GbE traffic. The application uses the Express data path (XDP) and its AF_XDP socket to capturing traffic on interface. The test platform is used FIT VUT NETX platform.
|
host ::
RSS.