DeepSec 2018 Talk: Suricata and XDP, Performance with an S like Security – Eric Leblond

Sanna/ November 2, 2018/ Conference, Security

extended Berkeley Packet Filter (eBPF) and eXtreme Data Path (XDP) technologies are gaining in popularity in the tracing and performance community in Linux for eBPF and among the networking people for XDP. After an introduction to these technologies, this talk proposes to have a look at the usage of the eBPF and XDP technology in the domain of security. A special focus lies on Suricata that uses this technology to enhance its performance and by consequence on the accuracy of its network analysis and detection.

We asked Eric a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • Packet loss really matters. A threat detection engine like Suricata is losing 10% of IDS alerts if it misses 3% of traffic. And there are 10% of incomplete file extraction with only 0.3% of packet loss.
  • The quantity of data seen on network is exploding, the complexity of threats is increasing, forcing threat detection systems to do more in-depth analysis. All that makes it really difficult for network intrusion detection systems to keep up to speed. But if you consider that there is some traffic that you don’t really want to see like encrypted traffic, maybe there is hope. If you manage to selectively get rid of this traffic, you can really lower the load. Suricata is implementing a generic bypass mechanism but it requires implementation at the capture level to be really efficient.
  • eXtreme Data Path is a new promising technology that allows user code to be run at the network driver level or even, for some devices, in the network card itself. It is a solution to a lot of problems where standard operating system limits are reached, like blocking distributed denial of services. Blocking traffic really early changes the balance between attackers and defenders.
  • Suricata is using XDP to provide a really efficient bypass mechanism for the standard Linux raw capture method.
  • But XDP is not just about dropping packets because it can be used for wire speed packet transfer. Suricata, for example, is using this feature to provide driver to driver packet routing when used in level 2 IPS mode.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

It did start when I heard too many people complaining about Suricata performance in IPS mode when working on top of Netfilter. It made me think about implementing flow bypass in Netfilter queue mode. The concept is really simple but the performance boost was impressive. I did present this at Netdev 1.1 in 2015, and since then I did work on extending this to other capture methods supported by Suricata. I did not think the evolution of Linux kernel would permit me to reach my goals, but I was really excited when I first heard about the extended Berkeley Packet Filter and even more when I discovered the XDP initiative a bit later on. I’ve followed the progress made in this fields  and implemented new features in Suricata when they were reaching the stable Linux kernel.

Why do you think this is an important topic?

Suricata usage of XDP provides interesting features regarding the project, but XDP could be used by itself to address other existing issues. Yes, we are talking about high performance networks, so IoT and most home network are out of scope, but if you take a project like Cilium that addresses inter VMs filtering via XDP there is a huge play field.

Is there something you want everybody to know – some good advice for our readers maybe?

The Security community should interact more with the community of Linux developers and even more so in the case of the networking. There are crazy things going on there and the Security community should take their share of fun and profit 😉

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

XDP is seen by Internet giants like Facebook or Google as a way to run their own protocol independently of the Linux kernel. The risk is that we may see a big part of the traffic switch to custom protocols, which are evolving really fast. In term of security, it means passive analysis tools will not manage to keep up to the pace of evolution, and the visibility of internet traffic, already lowered by encryption, will get even lower. Be prepared to be blind and start looking for alternatives like internal traffic analysis.


 Eric Leblond is an active member of the open source community. Since 2009 he works on the development of Suricata, the open source IDS/IPS, and he is currently one of the Suricata core developers. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Share this Post