초당 천만개의 패킷을 버리는 방법

초당 천만개의 패킷을 버리는 방법

This is a Korean translation of a prior post by Marek Majkowski.

사내에서 DDoS 대응팀은 종종 "패킷 버리는 사람들"이라 불립니다. 다른 팀이 우리 네트워크를 통해 지나가는 트래픽으로 스마트한 일을 하며 신나할 때 우리는 그걸 버리는 여러가지 방법을 찾아가며 즐거워 합니다.

초당 천만개의 패킷을 버리는 방법

CC BY-SA 2.0 image by Brian Evans

DDoS 공격을 견뎌내기 위해서는 빠르게 패킷을 버릴 수 있는 능력이 매우 중요합니다.

쉽게 들리겠지만 서버에 도달한 패킷을 버리는 것은 여러 단계에서 가능합니다. 각 기법은 장점과 한계점이 있습니다. 이 블로그 글에서는 지금까지 시도해 본 기법들을 모두 정리해 보도록 하겠습니다.

테스트 벤치마크

각 기법의 상대적인 성능을 시각화하기 위해서 먼저 숫자를 볼 것입니다. 벤치마크는 합성 테스트이므로 실제 숫자와는 일부 차이가 있을 수 있습니다. 테스트를 위해서는 10Gbps 네트워크 카드가 달린 인텔 서버를 사용할 것입니다. 하드웨어가 아니라 운영체제의 한계를 보여주기 위한 테스트이므로 하드웨어의 상세 사항은 적지 않겠습니다.

테스트 설정은 다음과 같습니다:

  • 작은 크기의 UDP 패킷을 14Mpps (Mpps = 초당 백만 패킷) 에 도달하도록 대량으로 전송
  • 이 트래픽은 테스트 서버의 단일 CPU에 전달되도록 함
  • 단일 CPU에서 커널에 의해 처리되는 패킷의 개수를 측정

테스트는 사용자 공간 어플리케이션의 속도나 패킷 처리 속도를 최대화하려는 것이 아니라 커널의 병목 지점을 알고자 하는 것입니다.

합성 트래픽은 conntrack에 최대한의 부하를 주도록 준비되었습니다 - 임의의 소스 IP와 포트 필드를 사용합니다. tcpdump는 다음과 같이 Continue reading

Openswitch OPX Installation on Linux

We have recently covered installation of Openswitch OPS on Linux. Since the version 2.0, Openswitch OPS has transformed into to a completely new project, called Openswitch OPX Base. Similar to its predecessor, OpenSwitch OPX Base system also provides an abstraction of hardware devices of network switch platforms in a Linux OS environment. However, original Yocto OS has been replaced by an unmodified Linux kernel based on Debian Jessie distribution.

We can install OPX Base on a virtual machine, similar to installing OpenSwitch on hardware platforms. A virtual machine (VM) uses the same software binaries as those executed on S6000-ON devices. The main difference is that the low-level device drivers for the SAI and SDI libraries are replaced with the packages that support hardware simulation, and interact with the hardware simulation infrastructure.

A host machine running Openswitch OPX VM might be Windows, or Mac OS X with at least 8GB of RAM and 100GB available disk space, and Virtual Box installed. The virtual machine needs to have one network interface configured for the Management interface (eth0). The network adapter eth0 corresponds to the first adapter attached to the VM, e101-001-0 to the second adapter and so on, and e101-00N-1 to Continue reading

Openswitch OPX Installation on Linux

We have recently covered installation of Openswitch OPS on Linux. Since the version 2.0, Openswitch OPS has transformed into to a completely new project, called Openswitch OPX Base. Similar to its predecessor, OpenSwitch OPX Base system also provides an abstraction of hardware devices of network switch platforms in a Linux OS environment. However, original Yocto OS has been replaced by an unmodified Linux kernel based on Debian Jessie distribution.

We can install OPX Base on a virtual machine, similar to installing OpenSwitch on hardware platforms. A virtual machine (VM) uses the same software binaries as those executed on S6000-ON devices. The main difference is that the low-level device drivers for the SAI and SDI libraries are replaced with the packages that support hardware simulation, and interact with the hardware simulation infrastructure.

A host machine running Openswitch OPX VM might be Windows, or Mac OS X with at least 8GB of RAM and 100GB available disk space, and Virtual Box installed. The virtual machine needs to have one network interface configured for the Management interface (eth0). The network adapter eth0 corresponds to the first adapter attached to the VM, e101-001-0 to the second adapter and so on, and e101-00N-1 to Continue reading

Openswitch OPX Appliances

OpenSwitch OPX Base is an innovative operating system for network systems. It uses an unmodified Linux kernel and standard distribution to take advantage of rich ecosystem, and also provide flexibility in customizing your system according to your network needs.

Note: Openswitch OPX images are customized with my after install script  and they are ready for use in GNS3.

Openswitch OPX 2.3.2
https://drive.google.com/file/d/1Vdpjoz53R7Rx1HYi8KcEuRuNvQnMMn0f/view?usp=sharing
https://sourceforge.net/projects/gns-3/files/VirtualBox%20Appliances/OpenswitchOPX-2.3.2.zip
https://www.4shared.com/s/fQu2DUd9dca

Openswitch OPX Appliances

OpenSwitch OPX Base is an innovative operating system for network systems. It uses an unmodified Linux kernel and standard distribution to take advantage of rich ecosystem, and also provide flexibility in customizing your system according to your network needs.

Note: Openswitch OPX images are customized with my after install script  and they are ready for use in GNS3.

Openswitch OPX 2.3.2
https://drive.google.com/file/d/1Vdpjoz53R7Rx1HYi8KcEuRuNvQnMMn0f/view?usp=sharing
https://sourceforge.net/projects/gns-3/files/VirtualBox%20Appliances/OpenswitchOPX-2.3.2.zip
https://www.4shared.com/s/fQu2DUd9dca

Oblix: an efficient oblivious search index

Oblix: an efficient oblivious search index Mishra et al., IEEE Security & Privacy 2018

Unfortunately, many known schemes that enable search queries on encrypted data achieve efficiency at the expense of security, as they reveal access patterns to the encrypted data. In this paper we present Oblix, a search index for encrypted data that is oblivious (provably hides access patterns) is dynamic (supports inserts and deletes), and has good efficiency.

There’s a lot to this paper! Starting with a recap of existing work on Path ORAM (Oblivious RAM) and Oblivious Data Structures (ODS), Mishra introduce an extension for an Oblivious Sorted Multimap (OSM) (such that you can look up a key and find a set of associated values, handy for building indexes!). Then because their design runs a client-proxy process inside an enclave at the server, and enclaves still leak some information, they also design “doubly-oblivious” versions of all of the above that hide the client access patterns in addition to those at the server process. It’s all topped off with an implementation in Rust (nice to see Rust being used for systems research), and an evaluation with three prime use cases: private contact discovery in Signal, Continue reading

Linux Shell Tips and Tricks

A collection of useful tips and tricks for the linux shell that I have stumbled across over the years. I'll keep updating this post as I come across something of value. I use bash, so these apply to bash unless noted otherwise but my work in other shells. cat The cat command can be...

Cool Hacks Spotlight: Gloo Function Gateway

To close DockerCon Cool Hacks keynote, Idit Levine from Solo.io presented Gloo, a high-performance, plugin-extendable, platform-agnostic function Gateway built on top of Envoy.

Idit showed a demo that involved modernizing a traditional application; the classic Spring Pet Clinic sample app, by containerizing it and deploying it to Docker Enterprise Edition. She added functionality to the app by adding a microservice written in Go through a Gloo route. Then added more functionality by adding a Gloo route to an AWS Lambda function, creating a true hybrid cloud application combining legacy, microservices and serverless components.

She then provided a demo of Squash, that works with Gloo to live debug two microservices forming an application running in Kubernetes on Docker Enterprise Edition, one in Java from IntelliJ, one in Go from Visual Studio Code.

She finished her presentation by announcing and open sourcing Qloo, a GraphQL Server built on top of Gloo and the Envoy Proxy. This allows you to add GraphQL support without any coding to your existing application, and combining functions together in a workflow described as a graph.

See all these excellent demos in the video below, and view the presentation on SlideShare.

 #Docker Spotlights: @gloo a Continue reading

iNOG-10 & RIPE-Hackathon

In June 2018, I was lucky enough to attend the iNOG 10 session in Dublin, co-present a talk and also take part in the RIPE hackathon.

This post is a share on the experience. This isn’t because I’m running out of non-technical material, but this is to uncover both events for those that may want to attend, take part and experience what these kinds of sessions offer.

iNOG

The iNOG Irish Network Operators community surfaced briefly with events in 2005 (originally as the IENOG) but fell silent and was reborn in 2015 as the organisation
as it is today. Started by five returnees to Ireland and some economic migrants, the group has been seeing a high number of attendees to the events and over 700 members on Meetup! Not bad for something that came in on a started on a boat!!! (See below).

The group aims to deliver valuable content to the audience free of charge. Whilst ‘valuable’ has a variety of meanings depending on the audience, the general idea is to share experience of network based activities. As you can imagine, this is very wide ranging and just in the iNOG 10 session, talks were given on automation, data Continue reading

Check Out Our Newest Network Automation Course, Now Available On Our Streaming Site

We’ve just added a new Network Automation course, Network Automation with Ansible (v2), to our video library!



Instructor: Eric Chou

Course Duration: 4hrs 33min


Course Description

Ansible is quickly becoming the automation tool of choice for networking. This course aims to demystify Ansible and get you up and running with today’s technologies. After covering the basics, we’ll move on to the more advanced topics as they are applicable to network automation. This course will be cover the latest Ansible GA release 2.4 with some augments for upcoming development release 2.5.

Getting Started: Workflow Job Templates

Welcome to another post in the Getting Started series! Today we’re going to get into the topic of Workflow Job Templates. If you don’t know what regular Job Templates are in Red Hat Ansible Tower, please read the previously published article that describes them. It’ll provide you with some technical details that’ll be a useful jumping-off point for the topic of workflows.

Once you’re familiar with the basics, read on! We’ll be covering what exactly Workflow Job Templates are, what makes them useful, how to generate/edit one, and a few extra pointers as well as best practices to make the most out of this great tool.

What is a Workflow Job Template?

The word “workflow” says it all. This particular feature in Ansible Tower (available as of version 3.1) enables users to create sequences consisting of any combination of job templates, project syncs, and inventory syncs that are linked together in order to execute them as a single unit. Because of this, workflows can help you organize playbooks and job templates into separate groups.

Why are Workflows Useful?

By utilizing this feature, you can set up ordered structures for different teams to use. For example, two different environments (i. Continue reading

Research: P Fat Trees

Link speeds in data center fabrics continue to climb, with 10g, 25g, 40g, and 100g widely available, and 400g promised in just a few short years. What isn’t so obvious is how these higher speeds are being reached. A 100g link, for instance, is really four 25g links bundled as a single link at the physical layer. If the optics are increasing in speed, and the processors are increasing in their ability to switch traffic, why are these higher speed links being built in this way? According to the paper under investigation today, the reason is the speed of the chips that serialize traffic from and deserialize traffic off the optical medium. The development of the Complementary metal–oxide–semiconductor, of CMOS, chips required to build ever faster optical interfaces seems to have stalled out at around 25g, which means faster speeds must be achieved by bundling multiple lower speed links.

Mellette, William M., Alex C. Snoeren, and George Porter. “P-FatTree: A Multi-Channel Datacenter Network Topology.” In Proceedings of the 15th ACM Workshop on Hot Topics in Networks, 78–84. HotNets ’16. New York, NY, USA: ACM, 2016. https://doi.org/10.1145/3005745.3005746.

The authors then point out that many data operators Continue reading

1 1,586 1,587 1,588 1,589 1,590 3,883