Success Stories

Anti-DDoS system acceleration

In CESNET, we develop our system for protection against Distributed Denial of Services (DDoS) attacks to protect our high-speed network infrastructure. We were able to deploy our Anti-DDoS system based on commodity NICs for link speeds up to 100 Gbps. However, our backbone consists of 400 Gbps links. For such speeds, we need a customized solution and 400G-capable NICs.

Our solution is based on hardware acceleration of specific parts of the application. We offload specific packet operations into hardware using the DPDK RTE Flow technology. The drawback of this approach is that we were highly limited by capabilities of the particular commodity NICs. Either they provide efficient hardware acceleration with low amount of resources (limited number of filtering rules and flow tables) and insufficient capabilities (lack of specific packet operations) or the available NIC resources are sufficient but with not so high performance in terms of packet rate.

Porting our application to DYNANIC provides us a possibility to make the hardware acceleration work for us in both directions: having a decent amount of resources and utilizing packet operations we need, while preserving high packet rate throughput. At the same time, we can use the standardized DPDK APIs.

Jan Kučera

Team leader at DDoS attacks mitigation group

High-speed network traffic monitoring

Good network traffic monitoring on high-speed backbone networks demands the use of high-end hardware. For this reason, CESNETs high-speed network infrastructure relies on FPGA-based cards which deliver high performance and enormous flexibility that is not available on commodity NICs.

FPGA enable us to efficiently capture, filter, divert or tag all traffic of interest at very high speeds, over which a subsequent thorough analysis is performed to detect network anomalies or malicious traffic. In particular, the capability to continuously adapt the entire solution to the target network, which may contain exotic or state-of-the-art network protocols (e.g., for tunneling or routing traffic), is a significant benefit.

The FPGA cards are easily adapted to meet our current needs. Over the time, we have gradually utilized hardware from various vendors. The ability to deploy the same software and firmware stack across different cards with different network speeds allows us to rely on the same acceleration, capabilities, software interface and identical behavior across our entire monitoring solution. Compared to conventional network cards, we don’t have to limit ourselves to basic common features or deal with the different behaviors of various vendors or even their product families.

Final solution is actively deployed around the perimeter of our backbone network and includes several 100 Gbps metering points. Preparations are already underway for future deployments on 400 Gbps links.

Lukáš Huták

Monitoring infrastructure group