A phishing mitigation approach using eBPF/XDP
Abstract
Although widely studied as a cyberattack vector, phishing remains a prevalent threat, driven by its operational simplicity and high effectiveness in spreading malware. This scenario makes it crucial to use robust solutions to block communications through malicious domains. This paper presents an efficient approach to mitigate phishing-based attacks and command and control (C2) communications using eBPF technology and the XDP framework. The study presents a comparative analysis between the proposed solution and the RPZ method. The results demonstrate a reduction in average CPU consumption of 70% with an average increase in latency of 0.0126 ms, presenting a promising alternative to improve the security and performance of DNS services..References
Akamai (2023). Attack Superhighway A Deep Dive on Malicious DNS Traffic. [link].
Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. (2005). Rfc 4033: Dns security introduction and requirements.
Bernstein, D. J. (1991). The djb2 hash function. [link].
Bertin, G. (2017). Xdp in practice: integrating xdp into our ddos mitigation pipeline. In Netdev 2.1, volume 2.
Bilge, L., Kirda, E., Krügel, C., and Balduzzi, M. (2011). Exposure: Finding malicious domains using passive dns analysis. In Network and Distributed System Security Symposium.
Capeletti, I. F. (2022). Análise de desempenho de aplicações ebpf/xdp em planos de dados programáveis. Monografia de graduação, Universidade Federal do Pampa, Alegrete, RS, Brasil. Trabalho de Conclusão de Curso – Curso de Ciência da Computação.
Community (2024). eBPF Docs. [link].
Høiland-Jørgensen, T., Brouer, J. D., Borkmann, D., Fastabend, J., Herbert, T., Ahern, D., and Miller, D. (2018). The express data path: fast programmable packet processing in the operating system kernel. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT ’18, page 54–66, New York, NY, USA. Association for Computing Machinery.
Khormali, A., Park, J., Alasmary, H., Anwar, A., Saad, M., and Mohaisen, D. (2021). Domain name system security and privacy: A contemporary survey. Computer Networks, 185:107699.
Knuth, D. E. (1998). The Art of Computer Programming: Sorting and Searching, volume 3. Addison-Wesley, Boston, 2 edition.
Kostopoulos, N., Kalogeras, D., and Maglaris, V. (2020). Leveraging on the xdp framework for the efficient mitigation of water torture attacks within authoritative dns servers. In 2020 6th IEEE Conference on Network Softwarization (NetSoft), pages 287–291.
Kostopoulos, N., Korentis, S., Kalogeras, D., and Maglaris, V. (2021). Mitigation of dns water torture attacks within the data plane via xdp-based naive bayes classifiers. In 2021 IEEE 10th International Conference on Cloud Networking (CloudNet), pages 133–139.
Kurose, J. F. and Ross, K. W. (2022). Computer networking: a top-down approach. Pearson Education Limited.
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., and Joosen, W. (2019). Tranco: A research-oriented top sites ranking hardened against manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium, NDSS 2019.
Liu, C. and Albitz, P. (2006). DNS and BIND (5th Edition). O’Reilly Media, Inc.
Marques, C., Malta, S., and Magalhães, J. (2021). Dns firewall based on machine learning. Future Internet, 13(12):309.
McCanne, S. and Jacobson, V. (1993). The bsd packet filter: a new architecture for user-level packet capture. In Proceedings of the USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993 Conference Proceedings, USENIX’93, page 2, USA. USENIX Association.
Mockapetris, P. V. (1987). Rfc1035: Domain names - implementation and specification.
Nominum (2012). resperf Performance Tool Manual. [link].
Razavi, A., Mahdavifar, S., Maleki, N., Habibi Lashkari, A., and Broda, M. (2021). Classifying malicious domains using dns traffic analysis. In Book.
Sommese, R., Claffy, K., van Rijswijk-Deij, R., Chattopadhyay, A., Dainotti, A., Sperotto, A., and Jonker, M. (2022). Investigating the impact of ddos attacks on dns infrastructure. In Proceedings of the 22nd ACM Internet Measurement Conference, IMC ’22, page 51–64, New York, NY, USA. Association for Computing Machinery.
Tantalor93 (2024). dnspyre. [link].
Umbrella, C. (2022). 2022 DNS Discoveries. [link].
Vixie, P. A. and Schryver, V. (2017). DNS Response Policy Zones (RPZ). Internet-Draft draft-ietf-dnsop-dns-rpz-00, Internet Engineering Task Force. Work in Progress.
Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. (2005). Rfc 4033: Dns security introduction and requirements.
Bernstein, D. J. (1991). The djb2 hash function. [link].
Bertin, G. (2017). Xdp in practice: integrating xdp into our ddos mitigation pipeline. In Netdev 2.1, volume 2.
Bilge, L., Kirda, E., Krügel, C., and Balduzzi, M. (2011). Exposure: Finding malicious domains using passive dns analysis. In Network and Distributed System Security Symposium.
Capeletti, I. F. (2022). Análise de desempenho de aplicações ebpf/xdp em planos de dados programáveis. Monografia de graduação, Universidade Federal do Pampa, Alegrete, RS, Brasil. Trabalho de Conclusão de Curso – Curso de Ciência da Computação.
Community (2024). eBPF Docs. [link].
Høiland-Jørgensen, T., Brouer, J. D., Borkmann, D., Fastabend, J., Herbert, T., Ahern, D., and Miller, D. (2018). The express data path: fast programmable packet processing in the operating system kernel. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT ’18, page 54–66, New York, NY, USA. Association for Computing Machinery.
Khormali, A., Park, J., Alasmary, H., Anwar, A., Saad, M., and Mohaisen, D. (2021). Domain name system security and privacy: A contemporary survey. Computer Networks, 185:107699.
Knuth, D. E. (1998). The Art of Computer Programming: Sorting and Searching, volume 3. Addison-Wesley, Boston, 2 edition.
Kostopoulos, N., Kalogeras, D., and Maglaris, V. (2020). Leveraging on the xdp framework for the efficient mitigation of water torture attacks within authoritative dns servers. In 2020 6th IEEE Conference on Network Softwarization (NetSoft), pages 287–291.
Kostopoulos, N., Korentis, S., Kalogeras, D., and Maglaris, V. (2021). Mitigation of dns water torture attacks within the data plane via xdp-based naive bayes classifiers. In 2021 IEEE 10th International Conference on Cloud Networking (CloudNet), pages 133–139.
Kurose, J. F. and Ross, K. W. (2022). Computer networking: a top-down approach. Pearson Education Limited.
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., and Joosen, W. (2019). Tranco: A research-oriented top sites ranking hardened against manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium, NDSS 2019.
Liu, C. and Albitz, P. (2006). DNS and BIND (5th Edition). O’Reilly Media, Inc.
Marques, C., Malta, S., and Magalhães, J. (2021). Dns firewall based on machine learning. Future Internet, 13(12):309.
McCanne, S. and Jacobson, V. (1993). The bsd packet filter: a new architecture for user-level packet capture. In Proceedings of the USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993 Conference Proceedings, USENIX’93, page 2, USA. USENIX Association.
Mockapetris, P. V. (1987). Rfc1035: Domain names - implementation and specification.
Nominum (2012). resperf Performance Tool Manual. [link].
Razavi, A., Mahdavifar, S., Maleki, N., Habibi Lashkari, A., and Broda, M. (2021). Classifying malicious domains using dns traffic analysis. In Book.
Sommese, R., Claffy, K., van Rijswijk-Deij, R., Chattopadhyay, A., Dainotti, A., Sperotto, A., and Jonker, M. (2022). Investigating the impact of ddos attacks on dns infrastructure. In Proceedings of the 22nd ACM Internet Measurement Conference, IMC ’22, page 51–64, New York, NY, USA. Association for Computing Machinery.
Tantalor93 (2024). dnspyre. [link].
Umbrella, C. (2022). 2022 DNS Discoveries. [link].
Vixie, P. A. and Schryver, V. (2017). DNS Response Policy Zones (RPZ). Internet-Draft draft-ietf-dnsop-dns-rpz-00, Internet Engineering Task Force. Work in Progress.
Published
2025-09-01
How to Cite
SANTOS, Pedro Martins dos; NOBRE, Jéferson Campos.
A phishing mitigation approach using eBPF/XDP. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 888-904.
DOI: https://doi.org/10.5753/sbseg.2025.11474.
