If you removed the case of your desktop computer back in the 1990s, one of the first things you’d see is a network interface card (NIC)—the component used for plugging your machine into an Ethernet cable.
Unlikely as it may sound, the humble NIC is now set to help the telecoms industry, and its customers, combat a huge global surge in distributed denial of service (DDoS) attacks. Among other things.
Modern day NICs do much more than direct traffic. Now known as SmartNICs, this specialist hardware can help solve one of telcos’ biggest challenges: moving to a virtualized architecture that relies on industry standard servers controlled by CPUs (central processing units). Designed to support network functions in the cloud, these virtual machines are often ill-equipped to cope with major DDoS attacks where large numbers of devices request network resources at the same time. The CPUs would be quickly overwhelmed.
Right now, these CPUs need more protection than ever. According to recent F5 Labs analysis of Security Incident Report (SIRT) data, DDoS attacks accounted for just a tenth of all reported customer incidents in January. By March, they had grown to three times that of all incidents. What’s more, 4.2% of DDoS attacks reported to the F5 SIRT last year were identified as targeting web apps. This increased six-fold in 2020 to 26%. There are numerous other studies echoing these trends, and it is no mystery why it is happening. Remote working and people spending more time online has significantly heightened both risk levels and available attack surfaces.
One way to protect yourself is to put a dedicated piece of kit, specifically designed to detect and mitigate DDoS attacks, in front of the virtual network. While that is still a viable option, it does reduce some of the cost advantages of going for a full virtual network. The dedicated appliances would also take up valuable space in the compact edge computing centers now being rolled out by telcos to reduce network latency.
Hardware Lends a Hand
At F5, we realized that porting volumetric DDoS mitigation capabilities to a SmartNIC equipped with specialized processors—a.k.a. field programmable gate arrays (FPGA)—can make a big difference in a more virtualized and cloud-centric world. Crucially, the specialized processors are able to handle much of the heavy lifting and filter the incoming traffic much faster than a traditional software implementation running on CPUs.
It was an insight that prompted us to become the first software company to create an application specially for Intel’s FPGA programmable acceleration card (N3000 SmartNIC). It has been validated and tested by some of the world’s leading service providers.
To bring our vision to life, we programmed the Intel SmartNIC FPGAs the same way we program FPGAs in our own hardware to support the BIG-IP Advanced Firewall Manager (AFM) Virtual Edition solution, which is designed to efficiently block incoming DDoS attacks in cloud environments using hardware acceleration.
By using the SmartNIC to handle network threat intelligence, packet-based analysis, allowlisting, and other DDoS mitigation measures, the solution keeps the CPU cycles free for other functions. This enables the network to keep running as normal. Better still, SmartNICs are extremely fast. The inspection and removal of malicious packets within the SmartNIC occurs at line rate, meaning that both latency and the user experience are unaffected. Indeed, moving specific functions to a SmartNIC, such as DDoS countermeasures, can boost performance and lower latency in both the core and at the network edge.
This isn’t about achieving incremental gains either, and the benefits of harnessing SmartNICs are potentially huge. For example, the F5 BIG-IP VE solution can handle DDoS attacks up to 300x larger than software-only implementations, all while reducing the total cost of ownership by approximately 47%.
By keeping a carrier-grade network secure and readily available, a SmartNIC-based solution means that operators can meet demanding service level agreements and deliver ultra-low latency connections without resorting to costly, high-performance custom hardware.
At the same time, an FPGA can be re-programmed to suit, giving telcos greater architectural flexibility and agility, while also allowing standard servers to focus solely on the core job of handling cloud-native network functions.
Defending with an Edge
With the telecoms industry rapidly adapting to increasingly complex business and consumer demands, Intel’s SmartNIC appears to have arrived in the nick of time.
In a traditional telco network, there may have been a few large data centers with everything centralized. You could deploy a couple of large boxes in front of these to protect them from DDoS attacks. That was then.
Nowadays, physical purpose-built appliances are becoming obsolete as the computing becomes more widely distributed around the network. This includes telcos deploying data centers at the edge of their infrastructure to make demanding apps and services, such as online gaming and virtual reality, respond better.
SmartNICs will play a particularly important role as edge computing becomes more widespread, serving as one of the main lines of defense in a distributed network. And, at F5, we're already talking to several major operators about migrating their DDoS mitigation systems from dedicated hardware over to the technology.
The future certainly looks bright for SmartNICs, which clearly offer an innovative and cost-efficient way to bolster the security and performance of a cloud-native network. F5’s groundbreaking DDoS implementation is strong evidence of this, and many other use cases are likely to follow.
There’s plenty of life in those trusty old network interface cards yet! In fact, thanks to their new and smarter incarnations, their best (and most productive) days are yet to come. Watch this space.
Keen to learn more? Check out our on-demand webinar (DDoS mitigation in virtualised infrastructures using Intel SmartNIC).
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...