Anti-DDoS system acceleration
In CESNET, we develop our system for protection against Distributed Denial of Services (DDoS) attacks to protect our high-speed network infrastructure. We were able to deploy our Anti-DDoS system based on commodity NICs for link speeds up to 100 Gbps. However, our backbone consists of 400 Gbps links. For such speeds, we need a customized solution and 400G-capable NICs.
Our solution is based on hardware acceleration of specific parts of the application. We offload specific packet operations into hardware using the DPDK RTE Flow technology. The drawback of this approach is that we were highly limited by capabilities of the particular commodity NICs. Either they provide efficient hardware acceleration with low amount of resources (limited number of filtering rules and flow tables) and insufficient capabilities (lack of specific packet operations) or the available NIC resources are sufficient but with not so high performance in terms of packet rate.
Porting our application to DYNANIC provides us a possibility to make the hardware acceleration work for us in both directions: having a decent amount of resources and utilizing packet operations we need, while preserving high packet rate throughput. At the same time, we can use the standardized DPDK APIs.
Jan Kučera
Team leader at DDoS attacks mitigation group