đ¨Using Hardware Filters to Drop Packets | A Performance-Optimised Approach đ§°
Efficient Packet Filtering | How Hardware Filters Reduce CPU Load in High-Traffic Networks
Driving SD-WAN Adoption in South Africa
Dropping packets can be a computationally expensive task. Each incoming packet consumes resourcesârequiring memory allocation, rule matching, and a decision-making processâbefore it can be discarded. For high-throughput networks or scenarios involving malicious traffic, such as Distributed Denial of Service (DDoS) attacks, this workload can overwhelm even powerful CPUs. This is where hardware filters come in, offloading the packet filtering process to the Network Interface Card (NIC) or SmartNIC, freeing up CPU cycles for other tasks.
Why Use Hardware Filters?
Efficiency: Hardware filters operate directly on the NIC, eliminating the need for packets to traverse the operating system stack before being dropped.
Performance: Offloading filtering to hardware ensures the system can handle large volumes of traffic, such as on 100 Gbps network links.
Resource Optimisation: Freeing up CPU cycles allows them to be dedicated to application or service hosting, improving overall performance.
Intelâs Hardware Filtering with Flow Director
Intel NICs and SmartNICs offer a feature called Intel Flow Director, which allows packet filtering at the hardware level. This feature is supported on various Intel network cards, including:
500 series (Niantic)
700 series (Fortville)
800 series (Columbiaville)
Checking Compatibility
To verify if your Intel NIC supports Flow Director, use the following commands:
# Enable ntuple filtering
ethtool -K eth0 ntuple on
# Check ntuple status
ethtool -k eth0 | grep ntuple
If the output includes ntuple-filters: on, your NIC is compatible and ready for hardware filtering.
Configuring Hardware Filters
To create a filter that drops specific packets, use the ethtool command with the -U flag. For example, to drop all UDP traffic from the 10.0.0.0/24 subnet directed at port 123 (NTP), you can configure the filter as follows:
ethtool -U eth0 flow-type udp4 src-ip 10.0.0.0 m 0.0.0.255 dst-port 123 action -1 loc 42
Explanation of the Rule:
Interface: The rule is applied to the
eth0interface.Protocol: Matches UDP over IPv4 traffic.
Source IP: Matches traffic originating from
10.0.0.0/24(using an inverted subnet mask).Destination Port: Matches traffic targeted at port 123 (NTP).
Action: The
-1action instructs the NIC to drop the packet.Location: The rule is stored as entry
42in the NICâs filter table. Rules are processed in ascending numerical order.
Verifying & Managing Rules
To confirm the applied rules, use:
ethtool -u eth0
Example output:
16 RX rings available
Total 1 rules
Filter: 42
Rule Type: UDP over IPv4
Src IP addr: 10.0.0.0 mask: 0.0.0.255
Dest IP addr: 0.0.0.0 mask: 255.255.255.255
TOS: 0x0 mask: 0xff
Src port: 0 mask: 0xffff
Dest port: 123 mask: 0x0
Action: Drop
Removing Rules
If a rule is no longer required, it can be deleted using its location identifier:
ethtool -U eth0 delete 42
Use Case | Mitigating DDoS Attacks
Hardware filtering is particularly effective for mitigating DDoS attacks. By offloading packet drops directly to the NIC, it reduces the load on the system, ensuring critical services remain operational. For example:
Block incoming traffic from known malicious IP ranges.
Drop specific protocols (e.g., UDP amplification attack vectors).
Filter non-essential traffic during peak loads.
Leveraging Hardware Filtering in Fusion's SD-WAN Solution
Fusion's SD-WAN solution takes full advantage of advanced hardware filtering capabilities, ensuring that high-performance traffic management is achieved without overwhelming system resources. By integrating Intel Flow Director and similar hardware filtering technologies into its edge devices, Fusion's SD-WAN offloads traffic filtering tasks directly to the network interface card (NIC). This allows for more efficient traffic handling, even under heavy loads, and ensures that mission-critical services remain protected from attacks such as DDoS or other malicious traffic.
Key Benefits of Hardware Filtering in Fusion's SD-WAN:
Optimised Performance: By using hardware to filter traffic, Fusion's SD-WAN ensures that packet drops and filtering do not burden the CPU. This is crucial for maintaining high throughput on large-scale deployments, particularly in environments with 100 Gbps or higher network links.
Scalable Security: With hardware-based filtering, Fusion's SD-WAN can easily scale to handle large amounts of traffic while still being able to block unwanted packets based on source IP, protocol, or portâwithout affecting the overall network performance.
DDoS Mitigation: In the face of DDoS attacks, Fusion's SD-WAN can rapidly identify and block malicious traffic at the NIC level. This helps mitigate the risk of service degradation or downtime, ensuring that legitimate traffic can continue uninterrupted.
Resource Efficiency: By offloading filtering tasks to the hardware, Fusionâs SD-WAN allows the system to use available CPU resources for more productive tasks, such as service hosting or more sophisticated traffic management, while ensuring that filtering tasks are still performed efficiently at the hardware level.
With these hardware filtering capabilities, Fusion's SD-WAN ensures that networks remain fast, secure, and resilient, even when facing high volumes of malicious or non-essential traffic. This seamless integration of hardware acceleration for traffic management enhances the overall performance and reliability of the solution, offering businesses peace of mind in their network security posture.
Wrap
Hardware filters provide a robust and efficient way to handle high-throughput or malicious traffic scenarios, allowing systems to maintain performance and reliability. With tools like Intel Flow Director, organisations can leverage NIC-based filtering to optimise resources and ensure scalability, making it an essential part of any high-performance network architecture.
