Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF

Cilium – Kernel Native Security & DDOS
Mitigation for Microservices with BPF
Cynthia Thomas
Technology Evangelist, Covalent
@_techcet_

Gordon is back!
And he got a job at Lego.

Robot Competition
● Local marketing launches an
Robot competition for Danish
residents
● Upcoming deadline means tons
of uploaded media

Robot Competition
User Data
Mongo
DB
Data
store
Inventory
Image
Upload
Service
Web
Front-
End
Kafka
Broker
Kafka
Broker
Kafka
Broker
Image
processing
Image
processing
Image
processing
ZookeeperZookeeperZookeeper
End-
User
Admin
task
Audit

Gordon’s Task List
● Deploy Cilium HTTP-aware security
for microservices
● Isolate Kafka resources for old & new services
● DDOS mitigation via XDP/BPF

Gordon’s 1st Task
Update HTTP Security for Microservices

Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server App
Yearly
Low
Evolution of Application Design & Delivery Frequency

Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server App
Yearly
Low
3-Tier App
Monthly
Moderate

Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server App
Yearly
Low
Distributed
Microservices
10-100 x’s / day
Extreme
3-Tier App
Monthly
Moderate

The world still runs on iptables
matching IPs and ports:
$ iptables -A INPUT -p tcp -s 15.15.15.3 --dport 80
-m conntrack --ctstate NEW -j ACCEPT

Robot Competition
User Data
Mongo
DB
Data
store
Inventory
Image
Upload
Service
Web
Front-
End
Kafka
Broker
Image
processing
Zookeeper
End-
User
Admin
task
Audit
Example: HTTP calls

API
Web
Front-End
Security for Microservices
Image
Upload
Service
GET /image
POST /image
GET /image/flagged
PUT /image/id

API
POST /image
Web
Front-End
Image
Upload
Service
GET /image
GET /image/flagged
PUT /image/id
POST /image

L3/L4
API
POST /image
Web
Front-End
iptables -s 10.1.1.1
-p tcp --dport 80
-j ACCEPT
Image
Upload
Service
GET /image
POST /image
GET /image/flagged
PUT /image/id

L3/L4
API
POST /image
Web
Front-End
-p tcp --dport 80
-j ACCEPT
exposed
exposed
exposed
Image
Upload
Service
GET /image
POST /image
GET /image/flagged
PUT /image/id

Network Security has not
evolved for microservices…
…until now.

API
POST /image
Web
Front-End
Cilium API-Aware Security
Image
Upload
Service
GET /image
GET /image/flagged
PUT /image/id
POST /image

L7
API
POST /image
Web
Front-End
Cilium API-Aware Security
Image
Upload
Service
GET /image
POST /image
GET /image/flagged
PUT /image/id
FROM Web Front-End
ALLOW POST /image

Under the Hood: BPF
Linux
Superpowers
Unleashed

BPF instruction set
struct bpf_insn prog[] = {
BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
BPF_LD_ABS(BPF_B, ETH_HLEN + offsetof(struct iphdr, protocol) /* R0 =
ip->proto */),
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), /* *(u32 *)(fp - 4) = r0
*/ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* r2 = fp - 4 */
BPF_LD_MAP_FD(BPF_REG_1, map_fd),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
BPF_MOV64_IMM(BPF_REG_1, 1), /* r1 = 1 */
BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_0, BPF_REG_1, 0, 0),
/* xadd r0 += r1 */
BPF_MOV64_IMM(BPF_REG_0, 0), /* r0 = 0 */
BPF_EXIT_INSN(),
};
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/ast/bpf.git/tree/samples/bpf/sock_example.c

User
space
Kernel
space
Cilium Architecture
Cilium
Agent

API Calls
User
space
Kernel
space
Plugins
Cilium Architecture
Cilium
Agent

BPF
API Calls
BPF Code & Maps
User
space
Kernel
space
Plugins
Cilium Architecture
Cilium
Agent

BPF
API Calls
BPF Code & Maps
User
space
Kernel
space
Plugins
Cilium Architecture
Cilium
Agent
Extremely scalable,
highly customized
network filtering, load-
balancing, and
monitoring

BPF BPF
API Calls
BPF Code & Maps
User
space
Kernel
space
Plugins
Cilium Architecture
Cilium
Agent

BPF BPF
API Calls
BPF Code & Maps
Packets
User
space
Kernel
space
Plugins
Cilium Architecture
Cilium
Agent

BPF
BPF BPF
API Calls
BPF Code & Maps
Packets
User
space
Kernel
space
Plugins
Cilium Architecture
Cilium
Agent

BPF
BPF BPF
API Calls
BPF Code & Maps
Packets
User
space
Kernel
space
CLI,
Monitoring,
Policies
Plugins
Cilium Architecture
Cilium
Agent

Gordon’s 2nd Task
Isolate Kafka Topics

Kafka?
Used for building real-time
pipelines and streaming apps.
- Horizontally scalable
- Fault-tolerant
- “Wicked fast”
Defined by its own protocol.
1/3 of all Fortune 500
companies use Kafka[1]

Kafka Concepts
Topic 1 Producers
Kafka Broker
Topic 1
Topic N
Topic 1 Consumer Group A
Topic 1 Consumer Group B

Security for
Microservices
Gordon worries
about open Kafka
topics
The API is too open!
How do I bring on
new services?

Robot Competition
User Data
Mongo
DB
Data
store
Inventory
Image
Upload
Service
Web
Front-
End
Kafka
Broker
Kafka
Broker
Kafka
Broker
Image
processing
Image
processing
Image
processing
ZookeeperZookeeperZookeeper
End-
User
Admin
task
Audit
Example: Kafka calls

Kafka.
API
Image
processing
Kafka
Broker
Fetch inventory
Fetch image
Fetch userid
Fetch analytics
Produce inventory
Produce image
Produce userid
Produce analytics

Kafka.
API
Fetch image
Image
processing
Kafka
Broker
Fetch inventory
Fetch image
Produce userid
Fetch userid

L3/L4
Kafka.
API
Fetch image
Image
processing
-p tcp --dport 9092
-j ACCEPT
Kafka
Broker
Fetch inventory
Fetch image
Produce userid
Fetch userid

L3/L4
Kafka.
API
Fetch image
Image
processing
-p tcp --dport 9092
-j ACCEPT
exposed
exposed
exposed
Kafka
Broker
Fetch inventory
Fetch image
Produce userid
Fetch userid

L7
Kafka.
API
Fetch image
Image
processing
Kafka
Broker
Fetch inventory
Fetch image
Produce userid
Fetch userid
FROM Image processing
ALLOW Fetch image

Demo: Kafka API Filtering
app1-
producer
app1-
consumer
app2-
producer
app2-
consumer
kafka

L7
Kafka.
API
Produce imageprocessing
app1-
producer
Demo: Kafka API Filtering
Kafka
Broker
Produce imageprocessing
Produce userdata
FROM app1-producer
ALLOW Produce imageprocessing

BPF
BPF BPF
API Calls
BPF Code & Maps
Packets
User
space
Kernel
space
CLI,
Monitoring,
Policies
Plugins
Sidecar Proxy
Cilium
Agent
Sidecar
Proxy

BPF
BPF BPF
API Calls
BPF Code & Maps
Packets
User
space
Kernel
space
CLI,
Monitoring,
Policies
Plugins
In-Kernel Kafka Parsing
Cilium
Agent
kernel proxy
BPF

Gordon’s 3rd Task
DDOS Mitigation

Robot Competition
● Local marketing launches
competition for Danish residents
only
● DDOS anticipated from other
countries and anti-Lego activists

Robot Competition
User Data
Mongo
DB
Data
store
Inventory
Image
Upload
Service
Web
Front-
End
Kafka
Broker
Image
processing
Zookeeper
End-
User
Admin
task
Audit
Example: DDOS attack!

BPF
BPF BPF
API Calls
BPF Code & Maps
Packets
User
space
Kernel
space
CLI,
Monitoring,
Policies
Plugins
XDP/BPF handled in NIC driver
Cilium
Agent
XDP

Source: https://www.netdevconf.org/2.1/slides/apr6/zhou-netdev-xdp-2017.pdf
Facebook published BPF/XDP numbers
for L3/L4 LB at Netdev 2.1
BPF/XDP throughput
IPVS throughput

BPF with XDP Setup
pktgen attack:
~11.6 Mpbs
randomly in 10.0.0.0/8
legit traffic:
netperf tests on
10.192.1.0/24
Blacklist
16M rules
All /32s in
10.0.0.0/8

BPF with XDP for DDoS mitigation
Metric iptables / ipset XDP
DDoS rate [packets/s] 11.6M 11.6M
Drop rate [packets/s] 7.1M 11.6M
Time to load rules [time] 3 min 20 sec 31 sec
Latency under load [ms] 2.3ms 0.1ms
Throughput under DDoS [Gbit/s] 0.014 6.5
Requests/s under DDoS [kReq/s] 0.28 82.8
Sender: Send 64B packets as fast as possible è Receiver: Drop as fast as possible
Source: Daniel Borkmann’s presentation:
http://schd.ws/hosted_files/ossna2017/da/BPFandXDP.pdf

● Cilium deployment for microservices
successfully secured HTTP traffic
● Kafka resources were isolated to
protect existing services from new ones
● Mitigated DDOS attacks via XDP/BPF
Gordon’s Summary

Cilium Project Status
• Cilium v0.12 release in October
• Docker, Kubernetes, and Mesos integration
• Looking for feedback and contributions

Take Action!
• Getting Started Using Docker: docs.cilium.io/
• Join our Slack community!
• Check out the project website for more details:
https://www.cilium.io/
Please ★
us on
GitHub

Thank You!
github.com/cilium/cilium
cilium.io
@ciliumproject

Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF

More Related Content

What's hot

Similar to Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF

More from Cynthia Thomas

Recently uploaded

Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF