Thesis Details
Packet Filtering Using XDP
Computer systems which must provide their services with a high availability require certain security measures to remain available even when under packet-based network attacks. Unwanted packets must be dropped or mitigated as early as possible and as quickly as possible. This work analyses the eXpress Data Path (XDP) as a technique for early packet dropping and the extended Berkeley Packet Filter (eBPF) as a mechanism for high-speed packet analysis. Examples of current firewalling practices on Linux kernel based systems are observed and a design and the behavioural goals of a system for high-speed packet filtering based on eBPF and XDP are provided. The implementation of the design is then described in detail. Finally, results of several performance tests are presented, showing the XDP solution's performance advatages over contemporary filtering techniques.
XDP, BPF, eBPF, packet filtering, NETX
Češka Milan, prof. RNDr., CSc. (DITS FIT BUT), člen
Hladká Eva, doc. RNDr., Ph.D. (FI MUNI), člen
Jaroš Jiří, doc. Ing., Ph.D. (DCSY FIT BUT), člen
Kořenek Jan, doc. Ing., Ph.D. (DCSY FIT BUT), člen
Matoušek Petr, doc. Ing., Ph.D., M.A. (DIFS FIT BUT), člen
@mastersthesis{FITMT21433,
author = "Jakub Mackovi\v{c}",
type = "Master's thesis",
title = "Packet Filtering Using XDP",
school = "Brno University of Technology, Faculty of Information Technology",
year = 2019,
location = "Brno, CZ",
language = "english",
url = "https://www.fit.vut.cz/study/thesis/21433/"
}