Extreme Load Test of Hardware-accelerated Adapter against DDoS Attacks

Transcription

1 Technická 12, Brno SIX research centre is organisation unit of Brno University of Technology, based in the Czech Republic, Brno , Antoninska 548/1, VAT:CZ Extreme Load Test of Hardware-accelerated Adapter against DDoS Attacks Date: Authors: Ing. Zdeněk Martinásek, Ph.D. and Ing. Jan Hajný, Ph.D. Cryptology Research Group crypto.utko.feec.vutbr.cz

2 Abstract This report deals with testing of hardware-accelerated FPGA adapter with filtering developed by INVEA-TECH. During the tests, commercial HANIC firmware based on the NetCOPE development framework was used. Spirent Avalanche 3100B traffic generator was used to generate network traffic. The adapter with HANIC firmware was configured to filter out DDoS SYN Flood attacks and was inserted between the ports of the generator. Three scenarios for application layer protocols FTP, HTTP and SMTP were created. To evaluate the effectiveness of the filter tested, each scenario was run with the filter first disabled and then enabled. The results confirmed ability of the FPGA cards to process network traffic at line rate.

3 1 Testing of Hardware-accelerated Adapter INVEA-TECH hardware-accelerated adapters are equipped with FPGA (Field-programmable Gate Array) chip for network traffic processing at line rate. FPGA card with HANIC firmware was used during the tests to filter out large amount of network traffic generated by Spirent Avalanche 3100B traffic generator. The block scheme of the testbed is depicted in the figure 1. Two 10 Gbps ports of the tester (Port0 ana Port1 ) were used during the test. Port 1 was configured to transmit legitimate traffic and, in addition, the DDoS SYN Flood attacks. Port 0 was configured to emulate servers of selected protocols. Three scenarios for FTP (File Transfer Protocol), HTTP (Hypertext Transfer Protocol) and SMTP (Simple Mail Transfer Protocol) applicationlayer protocols were created. The DDoS SYN Flood attacks were configured to generate 425,000, 8,750,000 and 425,000 pps (packets per second). The filter was put between the ports and configured to filter out the DDoS SYN Flood attacks while leaving the legitimate traffic without any modification. For each scenario, the test was run with the filtering deactivated first. Then, the filtering was activated. The goal of the testing was to evaluate how helpful the INVEA-TECH FPGA adapters are in a DDoS attack mitigation. The control terminal was used to configure both the tester and the filter. Avalanche 3100B Control terminal Server: FTP HTTP SMTP Client/ DDoS Port0 Port1 NetCOPE FPGA Figure 1: Block scheme of the security testbed 1 SIX research centre

4 Load Hardware-accelerated FPGA Adapter and DDoS Attacks x 10 4 Steady State Ramp Up Ramp Down Time[s] Figure 2: FTP and SMTP load profile graphs 1.1 Scenario Specification In each scenario, the Port1 was configured to generate the client traffic and the DDoS attack on the private IPv4 network. The Port0 was used to emulate the servers with respective services on standard ports on the IPv4 network. In the first scenario, there was an FTP server configured to provide transfers of 1 kb file on ports 20 and 21. In the second scenario, there was an HTTP server configured to provide web page on port 80. In the last scenario, there was an SMTP server configured to provide transfer of message on port 25. In all scenarios, the load was specified by the number of TCP connections per second performing specified task (file transfer, web page load, message transfer) all over the test. This load in every second of test is specified by load profile. Each user performs defined action just once. The load profile graph consists of the Ramp Up phase (rise of the number of TCP connections to the specified level), Steady State phase (hold of the number of connections) and Ramp Down phase (fall of the number of TCP connections to zero). The load profile graph is depicted in the figure 2 for the FTP and SMTP scenario and in the figure 3 for the HTTP scenario. The detailed information regarding the FTP, HTTP and SMTP scenarios is provided in the table 1. 2 SIX research centre

5 Load Hardware-accelerated FPGA Adapter and DDoS Attacks 7 x Time[s] Figure 3: HTTP load profile graph 1.2 Technical Specification and Configuration of the FPGA Adapter COMBO-20G, a two-port, hardware-accelerated 10 Gbps Ethernet card was used during the tests. The card is connected with the host computer over PCI Express bus. This bus provides an interface for high-speed data transmission from the card to the host computer and vice versa. Typical applications of the card are monitoring, processing and generation of the network traffic including advanced acceleration of computation of time-critical operations. The card is based on the Xilinx Virtex-5 FPGA chip. During the test, the HANIC firmware was used as a filter implemented in the FPGA. The HANIC firmware is developed using the NetCOPE environment. The firmware provides the following features: receiving and loss-less, low-latency processing of packets of any size at line rate configurable sampling, filtering and trimming of packets intelligent load-balancing over multiple processor cores precise timestamping with external synchronization using PPS signal (GPS, CDMA, PTP etc.) To filter out the DDoS attacks, the filter was configured to discard incoming packets from IP addresses from which DDoS attack was performed from. The traffic from servers is passed umodified by the filter. 3 SIX research centre

6 Table 1: Detailed test specification. Client Physical port of the traffic generator Port1 Line speed 10Gb/s Packet loss on the FPGA adapter s interface 0 % FTP, SMTP load 50,000 connections/s HTTP load 65,000 connections/s Protocols FTP/HTTP/SMTP Network address/mask /24 Address space Server Physical port of the traffic generator Port0 Line speed 10Gb/s Packet loss on the FPGA adapter s interface 0 % FTP Server port FTP (21) Network address/mask /28 File size 1 kb HTTP Server type Apache/ Server port HTTP (80) Maximum requests 64 Network address/mask /28 Server address File index.html File size 566 kb SMTP Server port SMTP (25) size 300 kb DDoS FTP, SMTP Type SYN flood Packets sent 425,000 Attack duration 14,25 s DDoS HTTP Type SYN flood Packets sent 8,750,000 Attack duration 38,93 s 4 SIX research centre

7 2 Results The results of the tests of the INVEA-TECH hardware-acceleration cards were obtained using the Spirent Avalanche Commander and Avalanche Analyzer applications. The graphical representation of results of all scenarios with the filter disabled is depicted in the figure 4. The success rate of the application-layer transactions is depicted in the graphs. FTP protocol success rate was 1 %, HTTP protocol success rate was 97 % and SMTP protocol success rate was 18 % when the DDoS attack was deployed. The graphical representation of results of all scenarios with the filter enabled is depicted in the figure 5. All the scenarios have 100 % success rate with the filter enabled. The results show the positive impact of the hardware-accelerated adapter with filtering. DDoS attacks were completely mitigated and the network infrastructure was fully operational after the filter was enabled. FTP summary HTTP summary Successful Unsuccessful Aborted SMTP summary 92% < 1% 7% 97% 3% 82% 18% Figure 4: Summary of the results with disabled filtering Successful Unsuccessful Aborted FTP summary HTTP summary SMTP summary 100% 100% 100% Figure 5: Summary of the results with enabled filtering The tables 2 and 3 show the numerical values of all measurements, with 5 SIX research centre

8 the filtering both disabled and enabled. The tables contain the number of total successful, unsuccessful and canceled transactions. A transaction means a file transfer, a web page transfer or a transfer of message from server to clients. Table 2: Summary of the results with disabled filtering FTP HTTP SMTP Total Successful transactions Unsuccessful transactions Canceled transactions Table 3: Summary of the results with enabled filtering FTP HTTP SMTP Total Successful transactions Unsuccessful transactions Canceled transactions SIX research centre

9 3 Conclusion The purpose of the test was to evaluate the ability of the INVEA-TECH hardware-accelerated FPGA adapter with HANIC firmware to filter out the DDoS SYN Flood attack. Three application-layer protocol scenarios were created. The FTP, HTTP and SMTP services were tested against the DDoS SYN Flood attacks of 425,000, 8,750,000 and 425,000 pps (packets per second). The adapter was configured to filter out the traffic of a DDoS attack and was inserted into the trasmission path connecting two 10 Gbps ports of the traffic generator. The measurement of all scenarios was performed with both filtering activated and deactivated. The results show the positive impact of the FPGA adapter with filtering. It is possible to filter out all DDoS traffic with specified strength and leave the legitimate traffic without any modifications by usage of the properly configured HANIC firmware. 7 SIX research centre