Traffic filtration using NIC capabilities on wire speed (10GE, 14Mpps)

This topic about NIC hardware filtration is very rarely covered but it’s very useful.

Well, for this challenge you should buy modern 10GE NIC (for example, you could use Intel 520, Intel 540, Intel XL710 or any NIC on chipset Intel 82599). I will use NIC with Intel 82599 chipset with ixgbe driver.

First of all, you should use Intel drivers from SourceForge instead of drivers bundled with your Linux distribution. Because bundled driver is very little functional.

We will use ethtool for NIC capabilities management, please install it.

Let’s go!

We need to tune NIC driver and enable hardware filtration capability.

Open driver configuration file:

And put following text there:

After reconfiguration please unload and load driver again:

Why we set FdirPballoc to 3? That’s why we can select number of hardware filtering rules and we selected option with maximum number of rules:

Look at dmesg and check number of rules in debug messages:

Enable NIC hardware filtration support in runtime:

Because many distros has outdated ethtool man pages I provided most important for traffic filtration part here:

For testing purposes I started simulated DDoS attack with trafgen tool with power 8 Million packets per second (but this approach can mitigate attacks up to 14MPPS with a charm):

Look at server load. It’s very sad picture 🙁 Our server completely overloaded.

Let’s try to build traffic filter against this attack (action “-1” means traffic drop):

Check rules list:

How to remove hardware filtering rule in case of mistake?

Look at top and check server load:

Looks very nice! Isn’t it? How we can check how much packets rejected with this filter rule:

As you can see, it’s very fast and straightforward way to mitigate attacks directed on channel overflow.

You can block DNS/SNMP/CHARGEN traffic amplification attacks with this approach. But you should keep in mind restriction of this approach. We can filter traffic only by protocols, ports and specific IP’s. If you need filtration by TCP flags or by packet length you should implement complete firewall.