In the NIC of Time

Published October 08, 2020

If you removed the case of your desktop computer back in the 1990s, one of the first things you’d see is a network interface card (NIC)—the component used for plugging your machine into an Ethernet cable.

Unlikely as it may sound, the humble NIC is now set to help the telecoms industry, and its customers, combat a huge global surge in distributed denial of service (DDoS) attacks. Among other things.

Modern day NICs do much more than direct traffic. Now known as SmartNICs, this specialist hardware can help solve one of telcos’ biggest challenges: moving to a virtualized architecture that relies on industry standard servers controlled by CPUs (central processing units). Designed to support network functions in the cloud, these virtual machines are often ill-equipped to cope with major DDoS attacks where large numbers of devices request network resources at the same time. The CPUs would be quickly overwhelmed.

Right now, these CPUs need more protection than ever. According to recent F5 Labs analysis of Security Incident Report (SIRT) data, DDoS attacks accounted for just a tenth of all reported customer incidents in January. By March, they had grown to three times that of all incidents. What’s more, 4.2% of DDoS attacks reported to the F5 SIRT last year were identified as targeting web apps. This increased six-fold in 2020 to 26%. There are numerous other studies echoing these trends, and it is no mystery why it is happening. Remote working and people spending more time online has significantly heightened both risk levels and available attack surfaces.

One way to protect yourself is to put a dedicated piece of kit, specifically designed to detect and mitigate DDoS attacks, in front of the virtual network. While that is still a viable option, it does reduce some of the cost advantages of going for a full virtual network. The dedicated appliances would also take up valuable space in the compact edge computing centers now being rolled out by telcos to reduce network latency.

Hardware Lends a Hand

At F5, we realized that porting volumetric DDoS mitigation capabilities to a SmartNIC equipped with specialized processors—a.k.a. field programmable gate arrays (FPGA)—can make a big difference in a more virtualized and cloud-centric world. Crucially, the specialized processors are able to handle much of the heavy lifting and filter the incoming traffic much faster than a traditional software implementation running on CPUs.

It was an insight that prompted us to become the first software company to create an application specially for Intel’s FPGA programmable acceleration card (N3000 SmartNIC). It has been validated and tested by some of the world’s leading service providers.

To bring our vision to life, we programmed the Intel SmartNIC FPGAs the same way we program FPGAs in our own hardware to support the BIG-IP Advanced Firewall Manager (AFM) Virtual Edition solution, which is designed to efficiently block incoming DDoS attacks in cloud environments using hardware acceleration.

By using the SmartNIC to handle network threat intelligence, packet-based analysis, allowlisting, and other DDoS mitigation measures, the solution keeps the CPU cycles free for other functions. This enables the network to keep running as normal. Better still, SmartNICs are extremely fast. The inspection and removal of malicious packets within the SmartNIC occurs at line rate, meaning that both latency and the user experience are unaffected. Indeed, moving specific functions to a SmartNIC, such as DDoS countermeasures, can boost performance and lower latency in both the core and at the network edge.

This isn’t about achieving incremental gains either, and the benefits of harnessing SmartNICs are potentially huge. For example, the F5 BIG-IP VE solution can handle DDoS attacks up to 300x larger than software-only implementations, all while reducing the total cost of ownership by approximately 47%.

By keeping a carrier-grade network secure and readily available, a SmartNIC-based solution means that operators can meet demanding service level agreements and deliver ultra-low latency connections without resorting to costly, high-performance custom hardware. 

At the same time, an FPGA can be re-programmed to suit, giving telcos greater architectural flexibility and agility, while also allowing standard servers to focus solely on the core job of handling cloud-native network functions.

Defending with an Edge

With the telecoms industry rapidly adapting to increasingly complex business and consumer demands, Intel’s SmartNIC appears to have arrived in the nick of time. 

In a traditional telco network, there may have been a few large data centers with everything centralized. You could deploy a couple of large boxes in front of these to protect them from DDoS attacks. That was then. 

Nowadays, physical purpose-built appliances are becoming obsolete as the computing becomes more widely distributed around the network. This includes telcos deploying data centers at the edge of their infrastructure to make demanding apps and services, such as online gaming and virtual reality, respond better. 

SmartNICs will play a particularly important role as edge computing becomes more widespread, serving as one of the main lines of defense in a distributed network. And, at F5, we're already talking to several major operators about migrating their DDoS mitigation systems from dedicated hardware over to the technology.

The future certainly looks bright for SmartNICs, which clearly offer an innovative and cost-efficient way to bolster the security and performance of a cloud-native network. F5’s groundbreaking DDoS implementation is strong evidence of this, and many other use cases are likely to follow.

There’s plenty of life in those trusty old network interface cards yet! In fact, thanks to their new and smarter incarnations, their best (and most productive) days are yet to come. Watch this space.

Keen to learn more? Check out our on-demand webinar (DDoS mitigation in virtualised infrastructures using Intel SmartNIC).