ATCIntel SmartNICF5 Application Delivery ContollersF5ATC InsightApplication Delivery ControllersService Provider Mobility (4G/5G)Cloud SecurityHybrid Cloud PlatformsNetwork SecuritySecurity OperationsMobilityIntelCloudNetworkingSecurity Transformation
ATC Insight5 minute read

F5 DDoS Protection with Intel SmartNIC

Protecting networks against volumetric Distributed Denial of Service (DDoS) attacks is challenging enough, but for software-based infrastructure the challenge is even greater. In the past stopping multi-gigabit DDoS attacks has required dedicated network security hardware, but recently WWT was asked to test a virtual DDoS solution from F5 powered by the Intel SmartNIC FPGA.

In this ATC Insight

 ATC Insight

 Executive Summary

The roll-out of 5G services will push Service Providers to virtual infrastructure in order to cost effectively meet demand. In recognition of this F5 worked with Intel to deliver high-performance DDoS off-load on virtualized infrastructure in order to protect infrastructure and applications from attacks.  WWT ATC lab testing validated that F5's DDoS protection programmed onto a FPGA on the N3000 off-loads DDoS attacks thereby protection network and applications by mitigating impact on virtual server CPU and RAM resources. WWT ATC lab testing shows that attacks up to 27Gbps in size are identified and removed by the Intel N3000.

 Enabling Security at Virtualized Edge

Service Providers have been using F5 BIG-IP iSeries for years to provide load balancing and layer 2-7 protection for their 4G networks. F5 BIG-IP iSeries is popular with Service Providers as the platform provides hardware-assisted offload of DDoS attack processing onto a Field Programmable Gate Array (FPGA) to not only mitigate much larger voluminous and targeted attacks, but also free up x86 CPU resources for other app delivery and security functions.

The effort to build out 5G infrastructure which requires more access points has pushed Service Providers to go the route of network function virtualization (NFV). In order to help service providers to build virtualized 5G infrastructure at the edge without compromising security, F5 has utilized its 10+ years of FPGA expertise to program an embedded FPGA within Intel's N3000 SmartNIC to mitigate DDoS attacks. By programming this FPGA, F5 is able to mitigate DDoS attacks at the NIC level before malicious traffic hits F5's BIG-IP Virtual Edition and the underpinning Intel x86 CPU's. Doing so drastically improves overall DDoS mitigation performance and significantly alleviates strain on BIG-IP VE CPU resources – freeing up compute cycles for other traffic management and security functions. F5's DDoS Protection is managed by the BIG-IP AFM Virtual Edition (VE) security platform which provides security for networks and applications.

 Solution and Components 

In order to enable its DDoS solution to deflect attacks within NFV infrastructure, F5 worked with Intel to migrate its DDoS protection to the Intel N3000 SmartNIC. F5's DDoS protection was built into the BIG-IP VE for SmartNICs solution which is programmed onto the Intel N3000. The solution leverages a programmed FPGA within the Intel FPGA PAC N3000 SmartNIC to mitigate DDoS attacks.  A Service provider can build out an NFV-based infrastructure based on the components of the solution listed below.

  • L2-L7 Firewall Protection (IPS option):  BIG-IP AFM Virtual Edition (VE) version 15.1.2.0
  • DDoS Protection within SmartNIC:  F5 SmartNIC VE – version 15.1.2.0
  • Hardware Tested:
    • Dell PowerEdge R740 2 x 20 Core 2.40GHz Gold
      Intel(R) Xeon(R) Gold 6148 CPU @ 2.40GHz
      RAM: 196GB / Disk: 2 x 500GB SAS
      KVM - CentOS Linux release 7.8.2003 (Core)

 

 Third-Party Testing from WWT ATC Labs

Worldwide Technology (WWT) Advanced Technology Center (ATC) is a collaborative ecosystem to design, build, educate, demonstrate, and deploy innovative technology products and integrated architectural solutions for WWT customers and partners. WWT ATC Product benchmarking tests whether a vendor's product functions as advertised. We stress-test products under production-level workloads with elements of your environment incorporated into the test plan.  Benchmarking can help you right-size hardware and software for your environment. It can also save you money if it shows you need to purchase less of a given technology.

 WWT ATC Lab Testing framework 

WWT ATC Lab testing setup the Dell Server with Intel N3000 as the network interface (50G connection; 2 x 25G channels) and program the F5 DDoS (SmartNIC VE) onto the FPGA contained within the N3000.  A Cisco switch provided connectivity from the Ixia Breaking Point toolset which served up both good and bad traffic patterns. 

 

Figure 1. - Lab Topology

 Testing Methodology

A traffic baseline was set up to simulate typical traffic coming into edge infrastructure. The incoming 'good' traffic was composed of:  

  1. HTTP (1.5 Gbps, approximately 45K concurrent HTTP transaction rate over 8k concurrent TCP connections)
  2. DNS (approximately 10K concurrent DNS queries per second)

For each DDoS attack, the tests were run for an average of 32 minutes. The first 16 minutes of the test was to ensure the baseline traffic running through the stack. At the 16-minute mark, the attack traffic was initiated and changes in the F5 AFM VE CPU and memory utilization were observed. At the end of the test, the TCP Average latency values were collected and compared with the case when only the baseline traffic is running through the setup.

For the first DDoS attack test shown below in Table 1, the attack mitigation was performed in software. The resulting CPU utilization shows that the CPU was effectively saturated as a result of on presented attack traffic.

Testing Results – F5 AFM VE handling incoming DDoS attack (no SmartNIC offload)

Table 1. - Baseline Test Results (No-Offload)

 

For the second DDoS attack the attack mitigation was performed in hardware via offload to an Intel SmartNIC. The resulting CPU utilization and latency are shown below in Table 2, with marked improvements in CPU utilization and latency. The FPGA is able to identify and absorb the malicious attack traffic before it is seen by the CPU, preserving the CPU for normal function and maintaining the compute efficiency of the virtual appliance.

Testing Results – F5 AFM VE handing incoming DDoS attack (with SmartNIC offload)

Table 2. - Mitigated Test Results Offload

 Conclusion

When comparing software-only vs hardware-assisted mitigation, the results from FPGA hardware-assisted show a marked improvement. In fact, it is likely that software-only mitigation would have resulted in a complete loss of function, leading to the denial of service the attacker is seeking. This clearly demonstrates the benefit and value of F5 BIG-IP VE for SmartNIC integration when building NFV and software-based security solutions.

 Technologies Under Test

* BIG-IP AFM Virtual Edition (VE) - version 15.1.2.0
* F5 SmartNIC VE – version 15.1.2.0
* Intel(R) FPGA Programmable Acceleration Card N3000

Technologies