Opportunistic Traffic Monitoring with eBPF

The growth of new technologies has opened new horizons for the network traffic monitoring and analysis. Innovative solutions like eBPF and XDP marked a clear distinction between traditional methodologies and new ones, which lead to a more personalized and, sometimes, more efficient filtering. Although, despite their flexibility and effectiveness, these technologies may seriously harm system performance, since they move the entire monitoring engine into the lowest layers of the operative system, introducing new problems related to the significant delay that an inefficient program may cause. This thesis proposes unusual and innovative usages of these new technologies, strengthening and favouring an in-kernel analysis of packets, and dynamically inserting or removing user-defined monitoring programs, exporting only the desired metrics using lightweight and standard data-interchange formats. Polycube is the framework used as reference, an open source research project developed by the Computer Network Group of Politecnico di Torino, which enables the creation of virtual networks and provides fast and lightweight network functions, as bridge, router, nat and many others. Within this complex and efficient framework, the service Dynmon has been created, starting from an early prototype, in order to accomplish dynamic network monitoring. The performance of this new service has been compared to a well-known and widely used protocol, NetFlow, and the promising and surprising results point out the efficiency of this new monitoring method. The advantage that Dynmon introduces is the possibility to perform adaptive network monitoring, choosing the granularity of data to be extracted, while the state-of-the-art tools extract a default set of features, independently by the type of the analysis, and it could result in an inefficient and heavy monitoring. Finally, this thesis presents also a real use case scenario, the TOSHI project, where Dynmon has been used in a more complex infrastructure, with the aim of detecting different cybersecurity attacks using eBPF/XDP as the packet analysis and features extraction method. Its usage perfectly meets the project need, which is to provide different dynamic network traffic monitoring probes, in order to extract packets features, according to the considered cybersecurity attacks.