Augmented DDoS Protection for Cloud/NFV Environments with BIG-IP VE for SmartNICs

Distributed Denial of Service (DDoS) attacks have grown increasingly common as a form of sabotage by activists, criminals, gamers, and even governments. As service providers implement 5G infrastructure and enterprises undergo digital transformation, the size and target surface area of potential attacks is expected to grow. This increased risk, combined with the trend for organizational shift to efficient and cost-effective software defined architectures makes DDoS mitigation for cloud/NFV environments more important now than ever before.

This paper presents information about DDoS attack mechanisms and describes how F5’s software DDoS mitigation solution can be augmented with Intel’s FPGA PAC N3000 SmartNIC, allowing DDoS attacks up to 300 times greater in magnitude to be mitigated by offloading to the SmartNICs embedded FPGA.

In this digitally-dependent, interconnected world, cyber-attacks can have significant negative impacts on businesses, service providers, and government entities. While news organizations focus on hackers stealing confidential information to use for blackmail and extortion, many malicious actors simply intend to cause financial harm.^[1] In a Denial of Service attack (DoS), attackers target an internet-connected service (for example, a website or mail server) and cause it to crash or become unresponsive. A DoS attack can be the result of a specially crafted request that causes server software to malfunction.

In recent years, better coding practices and regression techniques have made simple DoS attacks less effective. As a result, Distributed Denial of Service (DDoS) attacks have become more common; this trend is expected to continue as service providers implement 5G infrastructure and edge computing. DDoS attacks are often orchestrated by malicious individuals and distributed across a coordinated botnet of compromised, networked computer devices. These devices can be commanded to send attack traffic to a victim device or service.^[1] While the impact of a single compromised device is minimal by most processing throughput standards, a coordinated attack by thousands or even tens of thousands of devices from a large botnet can reach throughput levels that many service providers are unable to absorb.

For businesses that rely on their online presence, degradations to quality of service and downtime are bad for the bottom line. E-commerce is particularly vulnerable to disruption; service outages can cost thousands to millions of dollars per minute. Attacks that don’t cause an outage may still degrade performance, leading to real loss of revenue if frustrated customers move on to a different e-commerce provider.^[2]

Increased consumer internet connection speeds and increased ubiquity of devices on the cloud increases the potential for DDoS attacks. Connected devices present a special concern, and maintaining their security is imperative for maintaining the safety and reliability of online services. Along with the increased potential for these attacks, many organizations are at increased risk from DDoS attacks as they to software-centric architectures. Most software-based protections against DDoS lack the capacity and performance required to defend against large scale attacks. Fortunately, SmartNICs—the latest generation of Network Interface Cards—may be able to change this by offloading network and security functions from software solutions and alleviating strain on available CPUs.

This report will define a number of attack mechanisms, using evidence from real attack scenarios, before showing how F5’s software DDoS mitigation solution, F5® BIG IP® Advanced Firewall Manager™, Virtual Edition (BIG-IP AFM VE) can be augmented with Intel’s PAC 3000 SmartNIC. We will show how this combined solution (BIG-IP Virtual Edition for SmartNICs solution) is able to mitigate DDoS attacks up to 300 times greater in magnitude than an equivalent software-only solution.

Stateless attacks can be used against stateful protocols but do not require the attacker to track state for malicious connections. They are popular because they require minimal resources and work with source IP address spoofing. The classic and most widely used form of attack starts with a bogus request to a server to open a stateful connection, which the offending client (often a botnet node) will never acknowledge.^[1] The TCP SYN flood attack is one specific example. During a TCP connection setup, the 3-way handshake begins with the client transmitting a SYN packet. When the server receives a SYN packet from the client, it immediately allocates memory for a TCP socket data structure holding the tuple, sequence number, and state of the session. The server then replies to the client with a SYN-ACK packet.

Under normal circumstances, packet loss or slow communication could cause the SYN-ACK packet to be delayed or lost altogether. The server must decide how long to hold the socket in a half-open state before transmitting a reset and releasing the memory for other tasks.^[3] A popular DDoS technique is to generate a flood of SYN packets to trick the victim server into allocating TCP sockets and memory to thousands of bogus sessions. An attack rate of thousands of SYN packets per second quickly causes a webserver to consume all of its memory. In this example, the malicious attacker has the advantage; the attacker knows that none of the sessions will be used, so there is no need to reserve memory to track thee sessions. This enables the attacker to dedicate all system resources to transmitting additional bogus SYN packets.

Stateless protocols are easy to exploit because they work well using spoofed source addresses.^[4] Because stateless protocols don’t require a handshake, transmission of a single crafted packet to a server initiates an immediate response, using minimal resources on the adversary device and concealing the adversary’s identity.^[5] The data response packets from victim are forwarded to the spoofed IP, which could be a separate victim’s address; in volume these can slow down or disable an internet connection or server, adding to the efficacy of the attack.

A separate category of stateless attacks, known as amplification attacks, includes DNS flood and NTP flood. Both use address spoofing as part of the attack vector. Magnification attacks are particularly damaging because the response from the server can be an order of magnitude larger than the original request.

In 2018, GitHub, a popular code management service favoured among developers, encountered the largest DDoS attack on record. During the peak of the attack, the service saw incoming traffic at a rate of 1.3 terabytes per second (Tbps). This was a memcached DDoS attack that leveraged the amplification effect using the popular database caching system, Memcached. During the attack, the attacker flooded Memcached servers with spoofed requests and was able to amplify the attack by a factor of 50,000.^[6]

Although stateless attacks represent a common type of DDoS threat, their simplicity makes them easy to spot and prevent or mitigate.

Stateful DDoS attacks are more successful and difficult to prevent. Stateful attacks complete a handshake with the victim, and otherwise behave as a legitimate user. This category of attack vector can fool older DDoS prevention mechanisms, and requires more computing power and memory on the attacking machine. The key to launching a successful attack lies in behaving like a legitimate request. The challenge in mitigating these attacks lies in proper classification to separate real user requests from malicious ones.

A simple example of a stateful attack involves emulating the behaviour of legitimate users to create a sufficiently large volume of traffic using a large number of attackers (for example, a botnet). These volumetric attacks succeed when the victim cannot consume or process all the requests, or when the service’s internet connection is saturated to capacity. Because the traffic is crafted to emulate the behaviour of legitimate users, it is much more difficult to detect and differentiate malicious traffic from legitimate. For services involving some type of handshake mechanism (examples might include challenge-response, secret encoding, or cookie exchange), a volumetric attack may be the only way to exploit the victim unless a weakness is found in response scheme that would enable a trivial generation of valid response.^[7]

One category of advanced stateful attacks targets specific application-level services. One example, which attacks the HTTP protocol, is known as “Slowloris.” This attack begins with a malicious attacker sending multiple partial HTTP “GET” requests to the webserver to saturate its maximum available simultaneous connections. The attack works because the HTTP protocol will keep a connection open while a client is sending a request command, which can itself be divided into multiple packets. The malicious client will periodically send partial HTTP requests to the server—with up to several minutes of idle time between—without ever terminating the request.

A similar method to Slowloris is the “Are You Dead Yet” or “RUDY” attack, which utilizes HTTP “POST” commands to slowly send data responses to an unsuspecting web server.^[8] Both methods require minimal resources to execute, and because the default timeout to hold an HTTP connection open is 5 minutes on many web servers, they also require minimal bandwidth.^[1]

A fragment flood attack can also be an effective stateful attack. This technique can be coordinated with many source ports and addresses targeting a single destination. The endpoint under attack will save state on every fragment packet as it attempts to reassemble each one. Each unique source port and address combination will require allocation of another fragmentation buffer by the system under attack. The ability of the various malicious systems to source fragmented packets can outstrip the resources of the system under attack as it tries to maintain state on all of the fragmented transactions.

Since stateful attacks rely on generating valid responses to the victim, it is not typically possible to spoof the source address of the attacker. One exception to this rule is if the attacker can compromise a router or network medium through which legitimate traffic is traversing. In this case, the attacker can spoof the source address and generate valid stateful responses when it sniffs the response from victim, essentially following along to track the state of the connection.^[7]

To characterize the effectiveness of F5 solutions to mitigate different types of DDoS attacks, a test environment was configured using IXIA test systems. An IXIA XT80 sourced good ‘legitimate’ client traffic and server responses, and an IXIA XGS12 generated bad client attack traffic. The test was configured to establish a stable baseline of legitimate client-server traffic while ramping up attack traffic to identify the level at which attack traffic begins to interfere with the successful delivery of legitimate traffic. This allowed for reproducible characterization and comparison of mitigation effectiveness.  For each test, the DDoS attacks were judged to have successfully affected the system upon observation of a 10% drop in legitimate traffic from the established baseline.

The legitimate traffic baseline is configured at 20% percent of the capacity of the BIG-IP VE system, which was an 8vCPU High Performance VE with the BIG-IP AFM module provisioned. Since this system is capable of transacting 40 Gbps, the legitimate traffic baseline was maintained at 8 Gbps.

BIG-IP AFM VE mitigates DDoS attacks by establishing allowed thresholds for various classifications of traffic (for example, UDP, fragments, TCP SYN, etc.). Once the threshold for a particular traffic type has been exceeded, the system can be configured to drop all traffic that matches that classification. This relieves the system from further costs associated with processing that type of traffic. While software-based DDoS solutions can provide some benefit compared to an unprotected system, limitations on the ability of the software to process packets at line rate mean that software mitigation cannot completely prevent the effects of a DDoS attack.

The next step in the test was to establish the rate of DDoS traffic required to begin interrupting legitimate traffic with only the software solution in place. This was done to allow for a performance comparison between a software-only solution and the BIG-IP VE for SmartNICs solution. The architectural system configuration for the BIG-IP AFM test can be seen in Figure 6.

DDoS mitigation performance data for BIG-IP AFM VE was captured for three different DDoS attack types in order to allow for a more comprehensive analysis. The attack types for this simulation included:

• Attack Type 1 – UDP Flood Attack: This stateless volumetric attack is performed by sending a large number of User Datagram Protocol packets to a target server with the aim of impacting that server’s ability to process and respond.
• Attack Type 2 – Christmas Tree Attack: This attack uses Christmas tree packets, so called because they have all options set to ‘on’ so that any protocol can be used, making them appear “lit up like a Christmas tree.” These packets require much more processing power than other packets and can quickly consume an end devices computational capacity when sent in large quantities.
• Attack Type 3 – IP Short Fragment Attack: This common volumetric DDoS attack overwhelms a network by exploiting the process of datagram fragmentation. Typically achieved by sending fake packets that are unable to be reassembled and larger than the networks Maximum Transmission Unit (MTU), these attacks quickly overwhelm servers by exhausting CPU resources.

Figure 7 shows the volume of traffic, in Gbps, required for each of these attack types to impact good traffic when using BIG-IP AFM VE (software-only).

Not all DDoS attacks are created equal. Some are more widely distributed across the system than others, and some attacks require more packet inspection and parsing before they can be identified. This causes the effectiveness of DDoS attacks to vary, as can be seen in the graph above. These three simulated attack methods demonstrate that legitimate traffic can be impacted by DDoS attacks at relatively low throughputs when using software-only solutions.

The BIG-IP VE for SmartNICs solution is composed of an 8vCPU High Performance AFM VE (same as that used in the software-only test) integrated with an Intel FPGA PAC N3000 SmartNIC. This allows DDoS protection to be offloaded to the SmartNIC. The FPGA embedded within this SmartNIC has been programmed to automatically detect and block over 100 different types of known DDoS attacks while also using behavioural analytics to mitigate unknown, evolving threats.

By monitoring packet reception rates for all the programmed traffic profiles within ingress traffic, and comparing against acceptable, configured thresholds, the FPGA can determine when a threshold has been exceeded. When this occurs, the FPGA enacts the appropriate policies to drop traffic that exceeds configured maximums. This protects the CPU subsystem from processing packet traffic that ultimately will be dropped due to the DDoS mitigation policy. Because the FPGA is capable of classifying packet traffic at line rate (unlike the CPU subsystem), the SmartNIC-enabled solution provides marked benefits over the software-only solution.

For the next step in this demonstration, the SmartNIC-enabled solution was subjected to the same three DDoS attacks within the test environment. As before, the objective was to identify the rate of DDoS traffic required to impact the stream of legitimate traffic. Figure 8 shows the architectural system configuration for the BIG-IP VE for SmartNICs test.

The results from this test are shown in Figure 9.

It was observed that F5’s software-only DDoS solution (BIG-IP AFM VE) can provide some level of protection against small-scale attacks before legitimate traffic was adversely effected, but this solution could not prevent negative impacts from larger attacks. Integrating the BIG-IP AFM VE with Intel’s FPGA PAC N3000 SmartNIC to form the BIG-IP VE for SmartNICs solution yielded marked performance improvements. By offloading responsibility for mitigating DDoS threats from the BIG-IP AFM VE to an FPGA within the SmartNIC, the combined solution was able to withstand attacks 41 to 381 times greater in magnitude, including attacks with a rate of 30Gbps and higher. For organizations and service providers with cloud-first imperatives, this solution delivers the high-performance protection of purpose-built hardware, while offering the flexibility and agility of cloud environments. Further, because FPGAs can be reprogrammed, it is possible for them to augment other network and security functions as threats evolve.

¹ G. D. Hakem Beitollahi, Analyzing well-known countermeasures against distributed denial of service attacks, Computer Communications, 2012.
² H. W. Chuan Yue, "Profit-aware overload protection in E-commerce Web sites," Journal of Network and Computer Applications, vol. 32, p. 347–356, 2009.
³ A. M. Christos Douligeris, "DDoS attacks and defense mechanisms: classification and state-of-the-art," Computer Networks, vol. 44, no. 5, pp. 643-666, 2004.
⁴ G. D. Hakem Beitollahi, "Analyzing well-known countermeasures against distributed denial of service attacks," Computer Communications, vol. 35, no. 11, pp. 1312-1332, 2012.
⁵ M. Prince, "Deep Inside a DNS Amplification DDoS Attack," CloudFlare, 30 10 2012. [Online]. Available: https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/. [Accessed 1 11 2015].
⁶ US-CERT, "UDP-Based Amplification Attacks," 19 August 2015. [Online]. Available: https://www.us-cert.gov/ncas/alerts/TA14-017A.
⁷ Y. T. W. D. Shigang Chen, "Stateful DDoS attacks and targeted filtering," Journal of Network and Computer Applications, vol. 30, no. 3, pp. 823-840, 2007.
⁸ https://www.incapsula.com/ddos/attack-glossary/rudy-r-u-dead-yet.html, "R.U.D.Y. (R-U-Dead-Yet?)," [Online]. Available: https://www.incapsula.com/ddos/attack-glossary/rudy-r-u-dead-yet.html. [Accessed 9 12 2015].