Dropping packets can be a computationally expensive task. Each incoming packet consumes resources—requiring memory allocation, rule matching, and a decision-making process—before it can be discarded. For high-throughput networks or scenarios involving malicious traffic, such as Distributed Denial of Service (DDoS) attacks, this workload can overwhelm even powerful CPUs. This is where hardware filters come in, offloading the packet filtering process to the Network Interface Card (NIC) or SmartNIC, freeing up CPU cycles for other tasks.

Why Use Hardware Filters?

Efficiency: Hardware filters operate directly on the NIC, eliminating the need for packets to traverse the operating system stack before being dropped.
Performance: Offloading filtering to hardware ensures the system can handle large volumes of traffic, such as on 100 Gbps network links.
Resource Optimisation: Freeing up CPU cycles allows them to be dedicated to application or service hosting, improving overall performance.

Intel’s Hardware Filtering with Flow Director

Intel NICs and SmartNICs offer a feature called Intel Flow Director, which allows packet filtering at the hardware level. This feature is supported on various Intel network cards, including:

500 series (Niantic)
700 series (Fortville)
800 series (Columbiaville)

Checking Compatibility

To verify if your Intel NIC supports Flow Director, use the following commands:

# Enable ntuple filtering
ethtool -K eth0 ntuple on

# Check ntuple status
ethtool -k eth0 | grep ntuple

If the output includes ntuple-filters: on, your NIC is compatible and ready for hardware filtering.

Configuring Hardware Filters

To create a filter that drops specific packets, use the ethtool command with the -U flag. For example, to drop all UDP traffic from the 10.0.0.0/24 subnet directed at port 123 (NTP), you can configure the filter as follows:

ethtool -U eth0 flow-type udp4 src-ip 10.0.0.0 m 0.0.0.255 dst-port 123 action -1 loc 42

Explanation of the Rule:

Interface: The rule is applied to the eth0 interface.
Protocol: Matches UDP over IPv4 traffic.
Source IP: Matches traffic originating from 10.0.0.0/24 (using an inverted subnet mask).
Destination Port: Matches traffic targeted at port 123 (NTP).
Action: The -1 action instructs the NIC to drop the packet.
Location: The rule is stored as entry 42 in the NIC’s filter table. Rules are processed in ascending numerical order.

Verifying & Managing Rules

To confirm the applied rules, use:

ethtool -u eth0

Example output:

16 RX rings available
Total 1 rules

Filter: 42
    Rule Type: UDP over IPv4
    Src IP addr: 10.0.0.0 mask: 0.0.0.255
    Dest IP addr: 0.0.0.0 mask: 255.255.255.255
    TOS: 0x0 mask: 0xff
    Src port: 0 mask: 0xffff
    Dest port: 123 mask: 0x0
    Action: Drop

Removing Rules

If a rule is no longer required, it can be deleted using its location identifier:

ethtool -U eth0 delete 42

Use Case | Mitigating DDoS Attacks

Hardware filtering is particularly effective for mitigating DDoS attacks. By offloading packet drops directly to the NIC, it reduces the load on the system, ensuring critical services remain operational. For example:

Block incoming traffic from known malicious IP ranges.
Drop specific protocols (e.g., UDP amplification attack vectors).
Filter non-essential traffic during peak loads.

Leveraging Hardware Filtering in Fusion's SD-WAN Solution

Fusion's SD-WAN solution takes full advantage of advanced hardware filtering capabilities, ensuring that high-performance traffic management is achieved without overwhelming system resources. By integrating Intel Flow Director and similar hardware filtering technologies into its edge devices, Fusion's SD-WAN offloads traffic filtering tasks directly to the network interface card (NIC). This allows for more efficient traffic handling, even under heavy loads, and ensures that mission-critical services remain protected from attacks such as DDoS or other malicious traffic.

Key Benefits of Hardware Filtering in Fusion's SD-WAN:

Optimised Performance: By using hardware to filter traffic, Fusion's SD-WAN ensures that packet drops and filtering do not burden the CPU. This is crucial for maintaining high throughput on large-scale deployments, particularly in environments with 100 Gbps or higher network links.
Scalable Security: With hardware-based filtering, Fusion's SD-WAN can easily scale to handle large amounts of traffic while still being able to block unwanted packets based on source IP, protocol, or port—without affecting the overall network performance.
DDoS Mitigation: In the face of DDoS attacks, Fusion's SD-WAN can rapidly identify and block malicious traffic at the NIC level. This helps mitigate the risk of service degradation or downtime, ensuring that legitimate traffic can continue uninterrupted.
Resource Efficiency: By offloading filtering tasks to the hardware, Fusion’s SD-WAN allows the system to use available CPU resources for more productive tasks, such as service hosting or more sophisticated traffic management, while ensuring that filtering tasks are still performed efficiently at the hardware level.

With these hardware filtering capabilities, Fusion's SD-WAN ensures that networks remain fast, secure, and resilient, even when facing high volumes of malicious or non-essential traffic. This seamless integration of hardware acceleration for traffic management enhances the overall performance and reliability of the solution, offering businesses peace of mind in their network security posture.

Wrap

Hardware filters provide a robust and efficient way to handle high-throughput or malicious traffic scenarios, allowing systems to maintain performance and reliability. With tools like Intel Flow Director, organisations can leverage NIC-based filtering to optimise resources and ensure scalability, making it an essential part of any high-performance network architecture.

🔨Using Hardware Filters to Drop Packets | A Performance-Optimised Approach 🧰