d4450991a2
User could build xdp-synproxy container and runs in kubernetes as daemonset to protect kubernetes node from SYN flood attack Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
XDP SYNPROXY sample application
This is a sample application for XDP SYNPROXY. It was cloned from the Linux source code tree under tools/testing/selftests/bpf and called xdp_synproxy. main purpose of it is to demonstrate capabilities of XDP accelerating SYN Proxying for SYN flood DDOS protection. It is a real practical example for user to use. For an overview of accelerating SYNPROXY WITH XDP, Please refer to this paper (https://netdevconf.info/0x15/slides/30/Netdev%200x15%20Accelerating%20synproxy%20with%20XDP.pdf)
This sample application is tested with Ubuntu 22.04 with 6.2 kernel.
Note XDP SYNPROXY requires netfilter connection tracking and here are the sysctl knobs and iptables rules preparation for XDP SYNPROXY:
sudo sysctl -w net.ipv4.tcp_syncookies=2
sudo sysctl -w net.ipv4.tcp_timestamps=1
sudo sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
sudo iptables -t raw -I PREROUTING -i <interface> -p tcp -m tcp --syn --dport <port> -j CT --notrack
sudo iptables -t filter -A INPUT -i <interface> -p tcp -m tcp --dport <port> -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
sudo iptables -t filter -A INPUT -i <interface> -m state --state INVALID -j DROPHere is how to start the XDP SYNPROXY application:
sudo xdp_synproxy --iface <interface> --mss4 1460 --mss6 1440 --wscale 7 --ttl 64 --ports <port1>,<port2>XDP SYNPROXY could be built in in container and run by docker
sudo docker build . -t xdp-synproxy:0.1
sudo docker run -it -h xdp-synproxy --network=host --privileged xdp-synproxy:0.1XDP SYNPROXY could be deployed in Kubernetes cluster as DaemonSet, Please see (https://youtu.be/nIrp0Lv-e0g?si=g-pXl4agVQM6_FYW)
sudo kubectl apply -f xdp-synproxy-daemonset.yaml
sudo kubectl get po -o wide -l app=xdp-synproxy
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xdp-synproxy-6x29j 1/1 Running 0 5d2h 10.169.72.239 cilium-dev <none> <none>
xdp-synproxy-xj98j 1/1 Running 0 5d2h 10.169.72.233 centos-dev.localdomain <none> <none>XDP SYNPROXY can coexist with other XDP programs since we use libxdp to attach the XDP SYNPROXY program, meaning you could build chain of XDP programs and attach them to same network interface. Note xdp-loader could be built statically and shipped with xdp-synproxy container.
sudo kubectl exec -it xdp-synproxy-6x29j -- xdp-loader status
CURRENT XDP PROGRAM STATUS:
Interface Prio Program name Mode ID Tag Chain actions
--------------------------------------------------------------------------------------
ens192 xdp_dispatcher native 899 90f686eb86991928
=> 50 syncookie_xdp 908 6c6615566a2e0419 XDP_PASS