For any of you that are not yet familiar, eBPF (extended Berkeley Packet Filter), is a powerful technology that is rapidly gaining traction in network and security, among others, mostly in Linux based operating systems. eBPF is an extension to BPF, which might sound more familiar to anyone who ever used network analysis tools like Wireshark, Tcpdump and Scapy. In those tools, BPF is being used to filter certain types of packets based on certain criteria. Those filters are then compiled into a program that is being loaded to a small VM in the kernel, and forward to those tools, only the relevant packets which they are interested in.
eBPF, is extending those capabilities and allow more complex programs to run in addition to network filter programs. Its flexibility, performance, and low overhead make it an ideal choice for implementing a wide range of security policies, from basic filtering and monitoring to more advanced threat detection and prevention.
In the near future, I will post a more elaborate explanation about BPF vs eBPF, the technologies behind them and where they're mostly being used today in cyber security products.
However, in this post I want to focus on a new tool I recently uploaded to the BCC project called tcp_mon_block.
BCC (https://github.com/iovisor/bcc) is a huge project which had a big part in pushing eBPF to mainstream. It provides various eBPF libraries, code generation and compilation tools for eBPF, a client loader the can use Python code to load eBPF programs and much more.
tcp_mon_block uses netlink TC, kernel tracepoints and kprobes to monitor outgoing connections from given PIDs (like HTTP or other TCP networked servers) and block connections to anomalous addresses initiated from them (acting like an in-process firewall). By doing so, it can help with mitigation against exploited web processes. For example an old vulnerable Apache server or a .NET web application with an SSRF vulnerability, where an attacker might use the exploited server's process to connect to a C2 server, exfiltration server or other malicious server controller by the attacker.
You can check it out and play with the tutorial at – https://github.com/iovisor/bcc/tree/master/examples/networking/tcp_mon_block
If you liked it, please spread the word on technical forums and social networks using #tcp_mon_block hashtag 😊