Altinor is a minimalistic, highly parallel byte-level pattern matching engine for deep packet inspection (DPI), written in OpenCL and C/C++. The current PoC implementation runs on AMD Radeon GPUs.
This is the visual representation of the parallelised pattern search:
This repository contains an example that implements a network Instrusion Detection System (IDS), capable of inspecting TCP and/or UDP packets. It works similarly to a packet sniffer, intercepting packets at OSI L2 via a Linux raw socket.
Upon detecting the configured packet signature, Altinor will log a message on the stdout with the source IP address of the attacker. Some (Python) scripting could be further used to poll the alert message and react via compiling and applying an XDP/eBPF action on the interface.
Install the AMD drivers and OpenCL development packages. Below is an example for Ubuntu:
$ amdgpu-install --usecase=graphics,opencl --vulkan=amdvlk --opencl=legacy
$ sudo apt install opencl-headers
$ sudo apt install ocl-icd-opencl-dev
$ make
$ ./sudo altinor
Open the config.h file.
Set the sniffing network interface:
#define NETWORK_INTERFACE_NAME "enp2s0"
Describe the signature inside the array - byte by byte, or char by char, follow the standard C/C++ syntax:
uint8_t signature[] = { 'E', 'x', 'p', 'l', 'o', 'i', 't', 'B', 'y', 't', 'e', 's', '0', 'P' };
The signature length should also be specified inside the SIGNATURE_LEN macro:
#define SIGNATURE_LEN ( 14 )
For TCP ony:
#define INSPECT_TCP ( 1 )
#define INSPECT_UDP ( 0 )
For UDP only:
#define INSPECT_TCP ( 0 )
#define INSPECT_UDP ( 1 )
For both TCP and UDP:
#define INSPECT_TCP ( 1 )
#define INSPECT_UDP ( 1 )
Use the following option to attempt switching the sniffing interface to zero-copy mode.
#define ATTEMPT_ZERO_COPY_OPTION ( 1 )
Note: this may not work in many cases. Observe the log upon lauching the application.
$ make clean
$ make
$ ./sudo altinor
$ nc -l 192.168.100.6 65321
$ nc 192.168.100.6 65321
123-ExploitBytes0P-abcdEFGH
$ sudo ./altinor
EXPLOIT! from IP 192.168.100.6
Congratulations, you have detected an exploit signature via the GPU!
From now on, use the output on the console with some scripting language and generate a reaction accordingly - like generating an XDP_DROP action for that specific IP address
and apply it on the interface for a specific time duration.
The current Altinor implementation is a pure proof-of-concept experiment.
-
No fast path (like DPDK), using a RAW socket instead.
-
OpenCL GPU-to-host transfers are not zero copy. There is no RDMA between the NIC and the GPU as P2P PCIe transactions.
For CPUs with intergrated graphics, one should always check if the vendor provides an OpenCL driver support. If so, both CPU and GPU can use a common buffer (pointer), thus avoiding the copy overhead. -
The current implemention may miss the signature in case it is fragmented between two packets. This will be fixed.
-
Only one signature can be inspected per process. For more, compile and launch another 'instance' and run it as a separate process - one may also try to automate this via Docker, Ansible and other DevOps-oriented tools.
The author is currently working on:
-
A CLI shell based on Radix Tree
-
Multi-signature hot-plug support - without interrupting the running process
Future versions will add in-line IPS functionality using DPDK.
The author is also considering integrating the Altinor engine as an nginx module for HTTP inspection.
Aside from GPUs, other parallel accelerators could be much more interesting and applicable for parallel pattern matching (like the Tenstorrent GraySkull).