eBPF based Runtime Detection of Semantic DDoS Attacks in Linux Containers | Zendy

S Remya | Zendy; Manu J Pillai | Zendy; B Niranjan | Zendy; P M Ajith Kumar | Zendy; K Merin Shaju | Zendy; K Dinoy Raj | Zendy; Somula Rama Subbareddy | Zendy; Yong Yun Cho | Zendy

AI Assistant Blog Pricing

Home ZAIA Blog

Open Access

eBPF based Runtime Detection of Semantic DDoS Attacks in Linux Containers

Author(s) -

S Remya,

Manu J Pillai,

B Niranjan,

P M Ajith Kumar,

K Merin Shaju,

K Dinoy Raj,

Somula Rama Subbareddy,

Yong Yun Cho

Publication year - 2025

Publication title -

ieee access

Language(s) - English

Resource type - Magazines

SCImago Journal Rank - 0.587

H-Index - 127

eISSN - 2169-3536

DOI - 10.1109/access.2025.3614389

Subject(s) - aerospace , bioengineering , communication, networking and broadcast technologies , components, circuits, devices and systems , computing and processing , engineered materials, dielectrics and plasmas , engineering profession , fields, waves and electromagnetics , general topics for engineers , geoscience , nuclear engineering , photonics and electrooptics , power, energy and industry applications , robotics and control systems , signal processing and analysis , transportation

Modern Distributed Denial-of-Service (DDoS)attacks increasingly target the application layer to exhaust CPU resources and disrupt service availability, particularly in containerized environments where isolation and diverse implementations complicate traditional detection mechanisms. Existing solutions like CODA(Containerized Denial-of-Service Attack detection) monitor CPU burst times between accept() and close() system calls but fail when attackers maintain persistent connections without triggering close() calls. To address this limitation, we propose CODAX (Container-aware DDoS Attack detection using eXtended Berkeley Packet Filter), a lightweight CPU-time-based detection method that identifies longrunning malicious connections by monitoring system calls at the kernel level using extended Berkeley Packet Filter (eBPF) probes. Unlike prior methods such as CODA that rely on measuring CPU burst time between accept() and close() system calls, our approach tracks CPU usage thresholds from the moment of the accept() call using a global map of 64-bit Unix timestamps, enabling early detection of ongoing attacks before connection closure. The experimental evaluation demonstrates significant performance improvements over existing solutions. The proposed system achieves faster detection times, high attack detection accuracy (ADR: 0.92), and maintains low false positive rates (FPR: 0.02). Statistical validation using paired t-tests confirms that our eBPF-based approach reduces detection latency by an average of 1,772.3ms compared to CODA, representing a 94.2% relative reduction from CODA’s baseline performance (p<0.0001). The system operates efficiently with 30% CPU utilization and demonstrates high scalability for production environments. This research provides a timely and efficient mechanism for mitigating CPU exhaustion DDoS attacks in containerized applications, offering substantial improvements in responsiveness and reliability over existing detection frameworks.

The content you want is available to Zendy users.

Already have an account? Click here to sign in.

Having issues? You can contact us here

Accelerating Research