DoS/DDoS protection for end nodes

DoS/DDoS protection for end nodes

[William N.]

Hi,

I have been searching and reading, and reading... I understand this is
a huge and complex subject, especially for a non-expert. I read earlier
discussions on this ML - some answers seem to say it is futile (i.e.
something that should be done by the ISPs, not by the end clients),
others suggest there is benefit in doing at least what is possible. So,
I hope to have some things clarified by the experts here.

XY: I am trying to do what is right for the network security of a SOHO
LAN. The nodes are distrusted, i.e. there is no assumption that they
are/will always be "clean" just because they are on the LAN.

My questions:

1. Is there a point to attempt DoS/DDoS protection directly on the LAN
nodes (Linux based)?

2. What is the right approach (using nftables)?

Re: DoS/DDoS protection for end nodes

[Serg]

Your question is too broad, but in case of protecting from DDoS over WAN, nftables is not suitable simply because attacker can easily overwhelm your uplink. However, for high-performance scenarios, XDP is a better alternative to nftables.

For LAN, I suppose rate-limit using nftables is sufficient to handle DoS (if you have untrusted devices in your network). I can't imagine of any DDoS scenario in LAN though.

On 4/17/24 19:43, William N. wrote:
> Hi,
> 
> I have been searching and reading, and reading... I understand this is
> a huge and complex subject, especially for a non-expert. I read earlier
> discussions on this ML - some answers seem to say it is futile (i.e.
> something that should be done by the ISPs, not by the end clients),
> others suggest there is benefit in doing at least what is possible. So,
> I hope to have some things clarified by the experts here.
> 
> XY: I am trying to do what is right for the network security of a SOHO
> LAN. The nodes are distrusted, i.e. there is no assumption that they
> are/will always be "clean" just because they are on the LAN.
> 
> My questions:
> 
> 1. Is there a point to attempt DoS/DDoS protection directly on the LAN
> nodes (Linux based)?
> 
> 2. What is the right approach (using nftables)?
> 

Re: DoS/DDoS protection for end nodes

[William N.]

On Wed, 17 Apr 2024 20:25:51 +0000 Serg wrote:

> Your question is too broad,

Yes, because the subject itself is broad and I am trying to figure the
general idea correctly. AFAIU, it is performance.

> However, for high-performance scenarios, XDP is a better alternative
> to nftables.

After reading your reply, I did more reading. A few interesting links
(out of many which I read) from this additional research:

https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
https://github.com/mbertrone/bpf-iptables
https://www.phoronix.com/news/BPFILTER-2021

IIUC, there is this general long-term idea to move from
iptables/nftables rules to BPF (bpfilter), thus gaining performance and
there have been PoCs about that back in 2018. I could not find info
about how this has actually progressed (as it would really not be fun
to write firewall rules in C, parallel to using nftables).

What can you tell me about that?
How suitable is Cilium for SOHO needs?
Is bpfilter practical or not yet? Any documentation about it?
Am I looking at the wrong things?

Re: DoS/DDoS protection for end nodes

[Florian Kauer]

On 4/18/24 14:13, William N. wrote:
> On Wed, 17 Apr 2024 20:25:51 +0000 Serg wrote:
> 
>> Your question is too broad,
> 
> Yes, because the subject itself is broad and I am trying to figure the
> general idea correctly. AFAIU, it is performance.
> 
>> However, for high-performance scenarios, XDP is a better alternative
>> to nftables.
> 
> After reading your reply, I did more reading. A few interesting links
> (out of many which I read) from this additional research:
> 
> https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
> https://github.com/mbertrone/bpf-iptables
> https://www.phoronix.com/news/BPFILTER-2021
> 
> IIUC, there is this general long-term idea to move from
> iptables/nftables rules to BPF (bpfilter), thus gaining performance and
> there have been PoCs about that back in 2018. I could not find info
> about how this has actually progressed (as it would really not be fun
> to write firewall rules in C, parallel to using nftables).
> 
> What can you tell me about that?
> How suitable is Cilium for SOHO needs?

Very suitable if and only if you have multiple containers running on the same device,
so depends on your definition of SOHO.

> Is bpfilter practical or not yet? Any documentation about it?
> Am I looking at the wrong things?
> 

Regarding bpfilter have a look at Quentin's LPC talk:
https://lpc.events/event/17/contributions/1589/
So the basic idea is to maintain the iptables and/or nftables interface and "just" translate them to BPFs in the back. So no need to write C if you don't want to.

Greetings,
Florian

Re: DoS/DDoS protection for end nodes

[William N.]

On Thu, 18 Apr 2024 16:11:13 +0200 Florian Kauer wrote:

> So the basic idea is to maintain the iptables and/or nftables
> interface and "just" translate them to BPFs in the back. So no need
> to write C if you don't want to.

Then nftables can be used against DDoS with the BPF performance, right?

Has this made it to the mainline kernel or it is still something
experimental?

Re: DoS/DDoS protection for end nodes

[Serhii]

No, nftables hooks are running too late to have similar performance as XDP/eBPF offers.

2024-04-18T15:33:34Z William N. <netfilter@riseup.net>:

> Then nftables can be used against DDoS with the BPF performance, right?

-- 
Send unsolicited bulk email to carle34@at.encryp.ch

Re: DoS/DDoS protection for end nodes

[William N.]

On Thu, 18 Apr 2024 16:16:20 +0000 (UTC) Serhii wrote:

> No, nftables hooks are running too late to have similar performance
> as XDP/eBPF offers.

In that case, XDP (and hence C coding) is still necessary, right?

Re: DoS/DDoS protection for end nodes

[Kerin Millar]

On Thu, 18 Apr 2024, at 4:32 PM, William N. wrote:
> On Thu, 18 Apr 2024 16:11:13 +0200 Florian Kauer wrote:
>
>> So the basic idea is to maintain the iptables and/or nftables
>> interface and "just" translate them to BPFs in the back. So no need
>> to write C if you don't want to.
>
> Then nftables can be used against DDoS with the BPF performance, right?
>
> Has this made it to the mainline kernel or it is still something
> experimental?

See:

http://vger.kernel.org/bpfconf2023_material/bpfilter.pdf
https://www.socallinuxexpo.org/sites/default/files/presentations/Scale21x.pdf

Also:

https://facebook.github.io/bpfilter/index.html
https://github.com/qdeslandes/iptables
https://github.com/qdeslandes/nftables/tree/bpfilter_support

The latter two links are for Deslandes' forks of iptables and nftables. I don't know what Meta are using behind the scenes but both appear to be highly experimental.

-- 
Kerin Millar

Re: DoS/DDoS protection for end nodes

[William N.]

Thanks for the info.
I guess it is too early for it then.

Re: DoS/DDoS protection for end nodes

[Quentin Deslandes]

On 18/04/2024 17:32, William N. wrote:
> On Thu, 18 Apr 2024 16:11:13 +0200 Florian Kauer wrote:
> 
>> So the basic idea is to maintain the iptables and/or nftables
>> interface and "just" translate them to BPFs in the back. So no need
>> to write C if you don't want to.

That's the idea. bpfilter is the back-end working transparently to
convert nftables (or iptables) rules into BPF program(s). Florian
Westphal expressed interest a few months ago to offload nftables
rules into XDP using bpfilter, so I implemented it. 

While nftables doesn't support bpfilter officially, my fork [0]
enable the --bpf flag to send the Netlink requests to the bpfilter
daemon instead of the kernel. nftables support is still early, but you
can filter on IP and ports, and bpfilter will create and attach
an XDP program to your system.

> Then nftables can be used against DDoS with the BPF performance, right?
> 
> Has this made it to the mainline kernel or it is still something
> experimental?
> 

The project is still under heavy development, but there was a lot
to do in the background. There are a lot more changes planned in the
coming months to extend its capabilities.

See:
- https://github.com/facebook/bpfilter
- My talk at LPC 2023: https://www.youtube.com/watch?v=J5Hm6PrJWI4&t=27649s
- (Growing) documentation: https://facebook.github.io/bpfilter/index.html

Feel free to reach out if you want to know more :)

[0]: https://github.com/qdeslandes/nftables/tree/bpfilter_support

Regards,
Quentin Deslandes

Re: DoS/DDoS protection for end nodes

[William N.]

Thanks for the feedback, Quentin!
It's great to have you here.

As discussed in another thread recently, I wonder what your testing
procedures are to compare the performance of one ruleset with that of
another for the purpose of hopefully optimizing whatever is possible.

Re: DoS/DDoS protection for end nodes

[Quentin Deslandes]

On 22/04/2024 17:12, William N. wrote:
> Thanks for the feedback, Quentin!
> It's great to have you here.
> 
> As discussed in another thread recently, I wonder what your testing
> procedures are to compare the performance of one ruleset with that of
> another for the purpose of hopefully optimizing whatever is possible.

I've used pktgen [0], which is a kernel module able to generate fake traffic
at very high speed. You can define the packet size and rate. Using two
servers, I've been able to estimate the processing rate of iptables,
nftables, and bpfilter's BPF programs by using the rules packet counters.

I'm not 100% sure checking the rules counters is the best approach, but it's
convenient and reliable.

[0]: https://docs.kernel.org/networking/pktgen.html

Re: DoS/DDoS protection for end nodes

[William N.]

Thanks! I will look into that.

Re: DoS/DDoS protection for end nodes

[Reindl Harald]

Am 17.04.24 um 21:43 schrieb William N.:
> I have been searching and reading, and reading... I understand this is
> a huge and complex subject, especially for a non-expert. I read earlier
> discussions on this ML - some answers seem to say it is futile (i.e.
> something that should be done by the ISPs, not by the end clients),
> others suggest there is benefit in doing at least what is possible. So,
> I hope to have some things clarified by the experts here.
> 
> XY: I am trying to do what is right for the network security of a SOHO
> LAN. The nodes are distrusted, i.e. there is no assumption that they
> are/will always be "clean" just because they are on the LAN.
> 
> My questions:
> 
> 1. Is there a point to attempt DoS/DDoS protection directly on the LAN
> nodes (Linux based)?
> 
> 2. What is the right approach (using nftables)?

you can rate-limit requests but for a real DDOS you have *nothing* on 
your side - your upstream connection is overloaded and dropping packets 
will gain you nothing

Re: DoS/DDoS protection for end nodes

[Joshua Moore]

Agreed. Also trying to react to a DDoS could cause you to DoS yourself :)

I’ve seen this in hardware appliance firewalls trying to be creative with threat detection/IPS.

> On Apr 17, 2024, at 2:05 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
> 
> 
> 
>> Am 17.04.24 um 21:43 schrieb William N.:
>> I have been searching and reading, and reading... I understand this is
>> a huge and complex subject, especially for a non-expert. I read earlier
>> discussions on this ML - some answers seem to say it is futile (i.e.
>> something that should be done by the ISPs, not by the end clients),
>> others suggest there is benefit in doing at least what is possible. So,
>> I hope to have some things clarified by the experts here.
>> XY: I am trying to do what is right for the network security of a SOHO
>> LAN. The nodes are distrusted, i.e. there is no assumption that they
>> are/will always be "clean" just because they are on the LAN.
>> My questions:
>> 1. Is there a point to attempt DoS/DDoS protection directly on the LAN
>> nodes (Linux based)?
>> 2. What is the right approach (using nftables)?
> 
> you can rate-limit requests but for a real DDOS you have *nothing* on your side - your upstream connection is overloaded and dropping packets will gain you nothing
>