Cloud-Native 5G Security: Are SmartNICs The Solution Against Evolving DDoS Threats?

5G’s Scary Side: Evolving Security Threats

What’s not to love about the prospect of a world where ultra-low latency, ultra-high bandwidth data networks are commonplace? While Service Providers across the globe are entrenched in a race to make this a reality, there are some reservations among the security community about the next generation of DDoS threats that is likely to emerge.

DDoS attacks among service providers have already been rising in recent years. F5’s Security Incident Response Team observed a huge spike in the percentage of DDoS related attacks on SP customers --  from around 31% in 2018 to 77% in 2019. Unsurprisingly, 5G is expected to accentuate this trend as it effectively forms a breeding ground for DDoS. The hypoconnectivity boasted by 5G will connect far more IoT and Smart devices to public networks, and coupling this with hefty bandwidth increases means attackers will require botnets with fewer devices to execute attacks far greater in size than even the 2.3Tbps attack launched against an AWS customer recently.

And at a time when Service Providers themselves are using more virtualized infrastructure for improved agility and reduced total cost of ownership, they also need to incorporate agile and scalable defenses against these hyperscale DDoS attacks into the design of their 5G edge and core networks.

SmartNIC offload: The latest weapon in 5G’s arsenal against DDoS

By hosting onboard programmable components such as FPGAs, NPUs or SoCs, SmartNICs are able to perform specified  networking functions on behalf of applications running on COTS servers -- alleviating strain on compute resources and significantly improving the performance of those functions. The ability to be re-programmed as needs change also helps deliver the architectural flexibility and agility that organizations deploying cloud-native network functions desire.

It’s no secret that cloud-native DDoS solutions running on x86 COTS servers lack the performance of custom, purpose-built hardware offerings – but this is a tradeoff many organizations shifting to the cloud are willing to make in pursuit of greater agility.

Offloading responsibility for blocking DDoS attacks to pre-programmed hardware within a SmartNIC however offers the best of both worlds – delivering the performance of hardware while maintaining the agility of software, at a lower TCO.

The first, and only current carrier-grade example of this is F5®’s BIG-IP® Virtual Edition for SmartNICs solution--which is comprised of F5® BIG-IP® Advanced Firewall Manager™ (AFM) Virtual Edition (Virtual DDoS solution) integrated with Intel® FPGA Programmable Acceleration Card N3000 (an FPGA-based SmartNIC). By programming an embedded FPGA leveraging F5’s 10+ years of FPGA expertise, the SmartNIC is able to detect and block DDoS attacks on behalf of the BIG-IP AFM VE. Impressively, the joint solution is capable of mitigating attacks up to 300X greater in magnitude than a comparable software-only solution, easily thwarting complex attacks over 40Gbps in size. By handling DDoS attacks in the SmartNIC, this liberates up to 70% of the BIG-IP VE’s compute resources during an attack – ensuring continuous delivery of legitimate traffic to destination applications. Further, because less compute is required, CPU’s can be liberated and designated to other functions, which can improve application delivery and security while reducing TCO by up to 47%. Now, let’s look at a logical 5G deployment scenario for this solution.

SmartNIC Augmented DDoS Protection at the Edge

Within the context of a 5G architecture the most logical place to stop an attack would be at the edge – offloading attacks and preventing volumetric malicious traffic from stealing network bandwidth from legitimate users across multiple sites, and cutting edge-to-core data transfer costs cumulatively over time. And given service providers are electing to virtualize edge nodes as much as possible in order to reduce node costs and allow deployment of more nodes, SmartNIC augmented virtual DDoS solutions like F5’s BIG-IP VE for SmartNICs are well suited for protecting 5G networks at the edge.

There’s another reason F5’s BIG-IP VE for SmartNICs solution is well equipped for this edge use case. While using a SmartNIC technically adds another bump-in-the-wire, this solution has no detrimental effect on latency. The inspection and removal of malicious DDoS packets occurs at line rate meaning that ultra-fast 5G connections are always maintained.


Figure 1 Inserting BIG-IP VE for SmartNICs solution at the edge prevents attacks from reaching the core network
Figure 1 Inserting BIG-IP VE for SmartNICs solution at the edge prevents attacks from reaching the core network

Of course, this solution is just as effective for certain scenarios where DDoS protection must be implemented at the core instead, or in addition to edge security as an extra layer of defense.

It’s likely that in future, SmartNIC usage within 5G networks will extend beyond just DDoS protection too as other security and traffic optimization functions begin to be offloaded to these highly programmable components. For more information about F5’s BIG-IP VE for SmartNICs solution please review this F5 Newsroom article or contact F5 sales. Alternatively, performance data for this solution within a test environment can be found in this DevCentral article.

This article was created in collaboration with the sponsoring company and our sales and marketing team. The editorial team does not contribute.