Evaluasi Efektivitas Firewall Pre-filtering berbasis eBPF/XDP menggunakan Random Forest untuk Deteksi Anomali Trafik pada Docker Swarm
DOI:
https://doi.org/10.30865/jurikom.v13i2.9618Keywords:
Firewall Pre-filtering, eBPF/XDP, Random Forest, Deteksi Anomali Trafik, Docker SwarmAbstract
Overlay networks in container orchestration platforms such as Docker Swarm are vulnerable to volumetric DDoS attacks, while conventional firewall solutions impose high overhead when processing large attack volumes. This paper presents the implementation and evaluation of an eBPF/XDP-based pre-filtering firewall that integrates detection rules derived from a Random Forest model to identify traffic anomalies in Docker Swarm overlay networks. Unlike previous studies that employ a single Decision Tree or process classification in user-space, this research extracts Random Forest rules into per-source-IP thresholds executed directly in the kernel via XDP and stored in an eBPF config_map to enable runtime updates without recompilation. The model was trained on the CIC-DDoS-2019 dataset (174,221 records, 65 features), achieving 99.88% accuracy, 99.90% detection rate, 0.14% false positive rate, and ROC-AUC of 0.9999. Experimental evaluation across seven testing scenarios with 10 iterations demonstrates that the XDP firewall drops over 99.9% of attack packets with a median response time of 0.69 ms, comparable to baseline conditions. CPU overhead remains low (0.92–1.18%) and throughput is maintained at approximately 920 Mbps. Differences between scenarios are statistically significant (p < 0.05) but with negligible practical effect (d < 0.25). Comparative analysis with iptables, both global rate limiting and per-IP hashlimit, indicates that all three approaches (XDP, global iptables, and per-IP iptables) effectively mitigate DDoS with comparable median response times.
References
[1] I. M. Al Jawarneh et al., “Container Orchestration Engines: A Thorough Functional and Performance Comparison,” in ICC 2019 - 2019 IEEE International Conference on Communications (ICC), IEEE, May 2019, pp. 1–6. doi: 10.1109/ICC.2019.8762053.
[2] Inc. Docker, “Docker Swarm Mode Overview,” Docker Documentation. Accessed: Jan. 10, 2026. [Online]. Available: https://docs.docker.com/engine/swarm
[3] M. Mahalingam et al., “Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks,” Aug. 2014, RFC Editor. doi: 10.17487/RFC7348.
[4] M. Vieira, M. Castanho, R. Pacífico, E. Santos, E. Pinto, and L. Vieira, “Fast Packet Processing with eBPF and XDP: Concepts, Code, Challenges, and Applications,” ACM Computing Surveys (CSUR), vol. 53, pp. 1–36, Feb. 2020, doi: 10.1145/3371038.
[5] T. Høiland-Jørgensen et al., “The eXpress data path: Fast programmable packet processing in the operating system kernel,” in CoNEXT 2018 - Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies, Association for Computing Machinery, Inc, Dec. 2018, pp. 54–66. doi: 10.1145/3281411.3281443.
[6] D. Scholz, D. Raumer, P. Emmerich, A. Kurtz, K. Lesiak, and G. Carle, “Performance Implications of Packet Filtering with Linux eBPF,” in 2018 30th International Teletraffic Congress (ITC 30), 2018, pp. 209–217. doi: 10.1109/ITC30.2018.00039.
[7] H. Yamada and R. Kawahara, “Evaluation of HTTP Request Anomaly Detection Model Using fastText and Convolutional Autoencoder,” IEICE Communications Express, vol. 13, no. 7, pp. 240–243, May 2024, doi: 10.23919/comex.2024xbl0060.
[8] P. Schummer, A. del Rio, J. Serrano, D. Jimenez, G. Sánchez, and Á. Llorente, “Machine Learning-Based Network Anomaly Detection: Design, Implementation, and Evaluation,” AI (Switzerland), vol. 5, no. 4, pp. 2967–2983, Dec. 2024, doi: 10.3390/ai5040143.
[9] L. Breiman, “Random Forests,” Mach. Learn., vol. 45, no. 1, pp. 5–32, 2001, doi: 10.1023/A:1010933404324.
[10] by J. Ross Quinlan, M. Kaufmann Publishers, and S. L. Salzberg, “Programs for Machine Learning,” 1994.
[11] M. Bachl, J. Fabini, and T. Zseby, “A flow-based IDS using Machine Learning in eBPF,” Mar. 2022, [Online]. Available: http://arxiv.org/abs/2102.09980
[12] T. Farasat, J. Kim, and J. Posegga, “SmartX Intelligent Sec: A Security Framework Based on Machine Learning and eBPF/XDP,” Oct. 2024, [Online]. Available: http://arxiv.org/abs/2410.20244
[13] N. ANAND, S. M. A, and P. K. Aakula, “High-performance Intrusion Detection Systemusing eBPF with Machine Learning algorithms,” Jul. 06, 2023. doi: 10.21203/rs.3.rs-3140072/v1.
[14] Z. Chen, H. Kong, S. Ding, Q. Lv, and G. Wei, “ Efficient DDoS Detection and Mitigation in Cloud Data Centers Using eBPF and XDP ,” in 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) , Los Alamitos, CA, USA: IEEE Computer Society, Dec. 2024, pp. 1869–1874. doi: 10.1109/TrustCom63139.2024.00258.
[15] J. Nam, S. Lee, P. Porras, V. Yegneswaran, and S. Shin, “Secure Inter-Container Communications Using XDP/eBPF,” IEEE/ACM Transactions on Networking, vol. 31, no. 2, pp. 934–947, Apr. 2023, doi: 10.1109/TNET.2022.3206781.
[16] S. Lin et al., “ONCache: A Cache-Based Low-Overhead Container Overlay Network,” Jun. 2024, [Online]. Available: http://arxiv.org/abs/2305.05455
[17] Y. He et al., “Cross Container Attacks: The Bewildered eBPF on Clouds,” in Proceedings of the 32nd USENIX Security Symposium, Anaheim, CA, USA, 2023, pp. 5971–5988.
[18] C. Lee, R. Yoshitani, and T. Hirotsu, “Enhancing Packet Tracing of Microservices in Container Overlay Networks using eBPF,” in ACM International Conference Proceeding Series, Association for Computing Machinery, Dec. 2022, pp. 53–61. doi: 10.1145/3570748.3570756.
