Author: Alfredo Cardigliano

  • Home
  • Articles by: Alfredo Cardigliano
PF_RING

How to accelerate Bro with PF_RING FT
We discussed many times about the large quantity of work IDSs have to carry on, and the high CPU load they require, this is the case of Suricata due to the thousands of rules that need to be evaluated for every single packet, but this is also the case of the Bro Network Security Monitor. In a previous post we’ve seen How to accelerate Suricata with PF_RING FT in a few steps. In that guide we leveraged on the flow classification and L7 protocol detection provided by PF_RING FT, to …
ntop

Introducing PF_RING 7.2, including PF_RING FT and nBroker
This is to announce a new PF_RING major release 7.2 that includes: Support for Ubuntu 18 as well the latest Debian and CentOS kernels. Many improvements to the FPGA capture modules and the ZC library (that is now able to reserve head room for zero-copy traffic encapsulation/decapsulation, just to mention one). Full support for Containers and Namespaces. Besides many improvements and bug fixes, this release also introduces PF_RING FT, an highly optimized library that assists flow-processing application with L7 classification and filtering, and nBroker, a framework for hardware-based traffic steering and filtering …
PF_RING

How to accelerate Suricata, Bro, Snort with PF_RING FT
In a previous post we discussed the advantages of using specialized adapters featuring flow offload in hardware for accelerating IDS applications. What we have learnt is that IDSs are typically CPU-bound applications, and this is mainly caused by the thousands of rules that need to be evaluated for every single packet (of course in addition to packet capture). This is the case of Suricata, Bro, Snort and other IDS/IPSs as well security applications. More than 2/3 of the Internet traffic is multimedia traffic (mostly video, social networks and music streaming), consisting of a few …
PF_RING

Introducing nBroker: Traffic Steering and Filtering on Intel RRC (FM10K)
Exactly two years ago we introduced Intel FM10K (FM10000) support in PF_RING ZC. The Intel FM10K ethernet controller family supports 10/25/40/100 Gbit on the same NIC, at a convenient price (sub 1000$ range) and it powers NIC various models manufactured by Silicom Inc. The most interesting aspect of the FM10K is the programmability that this adapter provides. In fact this adapter integrates an internal switch attached to the external ports (those that are physically connected to the cables) and to the internal ports (towards the CPU, those seen by the host OS) …
ntop

Introducing PF_RING FT: nDPI-based Flow Classification and Filtering for PF_RING and DPDK
Motivation Most network monitoring and security applications are based on flow processing, which is in practice the activity of grouping packets based on common attributes (e.g. source and destination IP, source and destination port, protocol, etc.) and do some analysis based on the collected information. What happens behind the scenes can be divided in a few major tasks: capturing raw packets decoding packet headers to extract flow attributes classify the packets based on flow attributes (optional) extracting also L7 protocol information. Introducing PF_RING FT With PF_RING, and later on with PF_RING ZC (Zero …
nScrub

Protecting a Web Server from DDoS Attacks Using nScrub
nScrub is a software-based DDoS mitigation system based on PF_RING ZC, able to operate at 10 Gbit full-rate (or multi 10 Gbit distributing the load across multiple modules) using commodity hardware, making it affordable in terms of price and deployment. nScrub is easy to configure even for beginners and companies with no experience with DDoS mitigation, it can be implemented as bump in the wire (i.e. no BGP or traffic tunneling necessary) or as router for on-demand traffic diversion. In this post we will go through the installation steps for …
ntop

Introducing n2disk 3.0
This is to announce n2disk 3.0 that is more than a maintenance release, as it: Consolidates pre-existing functionalities Adds extraction security features that pave the way to GDPR support. Adds flow offload support Simplifies storage management to avoid headaches during the n2disk configuration During our last meeting at Sharkfest EU we talked about Hardware Flow Offload. In essence, applications running on top of PF_RING and (supported) FPGA adapters are now able to offload flow processing to the network card that be programmed to: Keep flow state, doing (basic) flow classification in hw. Periodically …
Guides

PF_RING and Network Namespaces
Last week we made a couple of presentations at LinuxLab 2017 where we spoke about Containers, focusing on Network Namespaces support in PF_RING, and User and IoT-oriented Network Traffic Monitoring on Embedded Devices. With the advent of Containers, processes isolation has become extremely easy and effective, to the point that ordinary Virtual Machines have been reconsidered. Many ntop users today are running traffic monitoring applications in Docker, thus it’s important to understand how Containers work and how to make the best use of them. Network isolation is provided by Network Namespaces, a native feature of the …
ntop

Implementing PF_RING-based Hardware Flow Offload in Suricata
Last month we have integrated hardware flow offload in PF_RING 7.0. This week Alfredo has presented at Suricon 2017 the integration of hardware flow offload with Suricata and demonstrated that with this technology you can significantly reduce packet drops and CPU load. Below you can see how NetFlow traffic analysis and Suricata can both benefit from this work. Hardware Flow Offload with Netflow Hardware Flow Offload with Suricata Shall you be interested to read the full story, these are the presentation slides. We remind you that the PF_RING source code …
PF_RING

Introducing PF_RING 7.0 with Hardware Flow Offload
This is to announce a new PF_RING major release 7.0. In addition to many improvements to the capture modules, drivers upgrades, containers isolation, the main change of this release is the ability to offload flow processing to the network card (when supported by the underlying hw). Flow offload is a great feature for cutting the CPU load when using applications doing intensive flow processing, as it’s possible to let the network card handle activities like flow classification (update flow statistics) and shunting (discard or bypass flows according to the application …
ntop

Introducing nScrub: Powerful yet Affordable DDoS Mitigation
ntop has always tried to make the Internet a better place by developing many open-source network monitoring tools, and releasing all the software at no cost to non-profit and education. A few years ago, Qurium/VirtualRoad, a swedish foundation offering secure hosting to independent online news outlets and human rights organisations, contacted us. The reason was that after years mitigating attacks using proprietary appliances and servers running customised Linux kernel code based on netfilter, they reached the conclusion that those solutions were not affordable, or flexible, or fast enough. Their experience with …
n2disk

Introducing n2disk 2.8 with Microburst Detection
Together with PF_RING 6.6, today we also released n2disk 2.8. In this release we introduced support for microburst detection in order to spot traffic bursts, which is crucial in identifying potential capacity issues and troubleshooting packet loss in network equipments. We also improved our “fast” BPF engine extending the supported primitives, and improving the ability to match tunneled traffic. More tools have been added, for playing with the dump set, for instance for moving part of the dump set to an external storage, or deleting PCAP files in a specified time …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe