Introducing SmartNICs in Server-Based Data Plane Processing: The DDoS Mitigation Use Case

In the recent years, the complexity of the network data plane and their requirements in terms of agility has increased significantly, with many network functions now implemented in software and executed directly in datacenter servers. To avoid bottlenecks and to keep up with the ever increasing network speeds, recent approaches propose to move the software packet processing in kernel space using technologies such as eBPF/XDP, or to offload (part of it) in specialized hardware, the so called SmartNICs. This paper aims at guiding the reader through the intricacies of the above mentioned technologies, leveraging SmartNICs to build a more efficient processing pipeline and providing concrete insights on their usage for a specific use case, namely, the mitigation of Distributed Denial of Service (DDoS) attacks. In particular, we enhance the mitigation capabilities of edge servers by transparently offloading a portion of DDoS mitigation rules in the SmartNIC, thus achieving a balanced combination of the XDP flexibility in operating traffic sampling and aggregation in the kernel, with the performance of hardware-based filtering. We evaluate the performance in different combinations of host and SmartNIC-based mitigation, showing that offloading part of the DDoS network function in the SmartNIC can indeed optimize the packet processing but only if combined with additional processing on the host kernel space.

[1]  Antony I. T. Rowstron,et al.  Network exception handlers: host-network control in enterprise networks , 2008, SIGCOMM '08.

[2]  T. V. Lakshman,et al.  UNO: uniflying host and smart NIC offload for flexible packet processing , 2017, SoCC.

[3]  Salvatore Pontarelli,et al.  FlowBlaze: Stateful Packet Processing in Hardware , 2019, NSDI.

[4]  Andrew W. Moore,et al.  Understanding PCIe performance for end host networking , 2018, SIGCOMM.

[5]  Sunny Behal,et al.  Detection of DDoS attacks and flash events using novel information theory metrics , 2017, Comput. Networks.

[6]  Wei Xu,et al.  DumbNet: a smart data center network fabric with dumb switches , 2018, EuroSys.

[7]  Martín Casado,et al.  Fabric: a retrospective on evolving SDN , 2012, HotSDN '12.

[8]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[9]  Luigi Rizzo,et al.  netmap: A Novel Framework for Fast Packet I/O , 2012, USENIX ATC.

[10]  Sunny Behal,et al.  Detection of DDoS attacks and flash events using information theory metrics-An empirical investigation , 2017, Comput. Commun..

[11]  Brij B. Gupta,et al.  A Recent Survey on DDoS Attacks and Defense Mechanisms , 2011 .

[12]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[13]  Kushagra Vaid,et al.  Azure Accelerated Networking: SmartNICs in the Public Cloud , 2018, NSDI.

[14]  Munesh Chandra Trivedi,et al.  Detection techniques of DDoS attacks: A survey , 2017, 2017 4th IEEE Uttar Pradesh Section International Conference on Electrical, Computer and Electronics (UPCON).

[15]  Toke Høiland-Jørgensen,et al.  The eXpress data path: fast programmable packet processing in the operating system kernel , 2018, CoNEXT.

[16]  Esraa Alomari,et al.  Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art , 2012, ArXiv.

[17]  Young Gyoun Moon,et al.  Accelerating Flow Processing Middleboxes with Programmable NICs , 2018, APSys.

[18]  Minlan Yu,et al.  SilkRoad: Making Stateful Layer-4 Load Balancing Fast and Cheap Using Switching ASICs , 2017, SIGCOMM.

[19]  Jugal K. Kalita,et al.  An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection , 2015, Pattern Recognit. Lett..

[20]  Adrian M. Caulfield,et al.  Beyond SmartNICs: Towards a Fully Programmable Cloud , 2018 .

[21]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[22]  G. Bertin XDP in practice: integrating XDP into our DDoS mitigation pipeline , 2017 .

[23]  Roberto Bifulco,et al.  Is it a SmartNIC or a Key-Value Store?: Both! , 2017, SIGCOMM Posters and Demos.

[24]  Christos Gkantsidis,et al.  Enabling End-Host Network Functions , 2015, Comput. Commun. Rev..