Success Stories

Anti-DDoS system acceleration

In CESNET, we develop our system for protection against Distributed Denial of Services (DDoS) attacks to protect our high-speed network infrastructure. We were able to deploy our Anti-DDoS system based on commodity NICs for link speeds up to 100 Gbps. However, our backbone consists of 400 Gbps links. For such speeds, we need a customized solution and 400G-capable NICs.

Our solution is based on hardware acceleration of specific parts of the application. We offload specific packet operations into hardware using the DPDK RTE Flow technology. The drawback of this approach is that we were highly limited by capabilities of the particular commodity NICs. Either they provide efficient hardware acceleration with low amount of resources (limited number of filtering rules and flow tables) and insufficient capabilities (lack of specific packet operations) or the available NIC resources are sufficient but with not so high performance in terms of packet rate.

Porting our application to DYNANIC provides us a possibility to make the hardware acceleration work for us in both directions: having a decent amount of resources and utilizing packet operations we need, while preserving high packet rate throughput. At the same time, we can use the standardized DPDK APIs.

Jan Kučera

Team leader at DDoS attacks mitigation group

High-speed network traffic monitoring

Good network traffic monitoring on high-speed backbone networks demands the use of high-end hardware. For this reason, CESNETs high-speed network infrastructure relies on FPGA-based cards which deliver high performance and enormous flexibility that is not available on commodity NICs.

FPGA enable us to efficiently capture, filter, divert or tag all traffic of interest at very high speeds, over which a subsequent thorough analysis is performed to detect network anomalies or malicious traffic. In particular, the capability to continuously adapt the entire solution to the target network, which may contain exotic or state-of-the-art network protocols (e.g., for tunneling or routing traffic), is a significant benefit.

The FPGA cards are easily adapted to meet our current needs. Over the time, we have gradually utilized hardware from various vendors. The ability to deploy the same software and firmware stack across different cards with different network speeds allows us to rely on the same acceleration, capabilities, software interface and identical behavior across our entire monitoring solution. Compared to conventional network cards, we don’t have to limit ourselves to basic common features or deal with the different behaviors of various vendors or even their product families.

Final solution is actively deployed around the perimeter of our backbone network and includes several 100 Gbps metering points. Preparations are already underway for future deployments on 400 Gbps links.

Lukáš Huták

Monitoring infrastructure group

High-performance L7 load balancing

Efficient distribution of user requests across application servers with minimal latency requires a SmartNIC capable of processing application-layer attributes (such as URLs) at high speed. Traditional software-based load balancers often struggle to handle growing traffic demands efficiently, making hardware acceleration a key enabler for low-latency and high-throughput solutions.

By leveraging FPGA-based SmartNICs, we achieve sub-microsecond latency for routing application requests while ensuring consistent session handling. This is crucial for maintaining performance and avoiding unnecessary delays introduced by software-based solutions.

DYNANIC FPGA-accelerated SmartNIC enhances L7 load balancing through a high-performance processing pipeline with

  • Pattern Matching for URL Classification: SmartNIC analyzes the first packets of a connection, performing URL classification using a high-speed pattern-matching engine.
  • Stateful Connection Tracking: Once a target server is identified, SmartNIC maintains stateful connection tracking, ensuring all subsequent packets of the session are forwarded to the same server.
  • Zero CPU Overhead Data Forwarding: Throughout the entire session, SmartNIC automatically forwards traffic between the user and the application server, completely bypassing CPU-based processing.

SmartNIC-powered load balancing solution is designed to scale with increasing traffic demands. The ability to process thousands of unique URL rules at 400 Gbps line rate enables high-performance L7 load balancing that is adaptable to both current and future network infrastructures.

With FPGA-accelerated pattern matching and SmartNIC-based traffic processing, the DYNANIC solution is ideal for modern high-speed data centers and cloud environments.

Lukáš Kekely

CTO @ DYNANIC

Dynanic - ilustration 3