How to acceleterate Suricata performance by factor 4

For Intrusion Detection implementations, missing any significant fraction of network traffic is unacceptable, as even a single packet not inspected by the Intrusion Detection System (IDS) represents a blind spot for the security team.

Suricata IDS detects known threats, policy violations and malicious behaviors. However, as capable as Suricata is in reactively protecting a network, it will only be as effective as its implementation. Examining the contents of every network packet is extremely CPU-intensive, especially for a multi-gigabit traffic load. And this is often the limiting factor in Suricata performance: the packet processing on the CPU.

In addressing this challenge, Napatech has created a hardware acceleration solution that alleviates the load on the CPU and thereby greatly increases Suricata performance.

This solution is based on the Napatech LinkTM Capture Software, which is uniquely suited for lossless acceleration of Suricata. It offloads processing and analysis of networking traffic from the application software, while ensuring optimal use of the standard server’s resources leading to effective application acceleration.

Optimized to capture all network traffic at full line rate, with almost no CPU load on the host server (all frame sizes), the solution demonstrates substantial lossless performance advantages for Suricata compared to a standard Network Interface Card (NIC):

• 4x lossless packet performance
• 100% lossless capture of all network traffic
• 40% improvement in CPU utilization

These performance advantages ultimately allow you to:

• Maximize your server performance by improving CPU utilization
• Minimize your TCO by reducing number of servers, thus optimizing rack space, power, cooling and operational expenses
• Diminish your time-to-resolution, thereby enabling greatly increased efficiency

Outstanding Lossless Performance

The improvements achieved with this solution were demonstrated by comparing Suricata performance running on a Dell PowerEdge R740 with a standard 40G NIC card and the NT200.



Using 40 cores (80 worker threads) on both sockets, the Napatech NT200 with LinkTM Capture Software provides nearly 3x higher lossless Suricata packet throughput compared with a standard NIC when running Suricata with a 12,712-signature Emerging Threats ruleset.



Maximum Throughput

Running Suricata on all 40 cores, system throughput peaked at 34.8 Gbps with a standard NIC, while the NT200 delivered 52.4 Gbps – providing a full 50% higher maximum throughput.

Deterministic Performance

Nearly as important, the NT200 demonstrates deterministic performance, with virtually no variation in multiple test runs. In contrast, the standard NIC displays significant variations in performance across a set of measurements with an identical workload. This behavior is shown in the graph above, where the NT200 performance appears as a single sharp line indicating no variability.

For the standard NIC, the thick line represents the average throughput value and the surrounding shaded band indicates the variation from various trials. In simple terms, the NT200 offers guaranteed application performance while the standard NIC performance varies by as much as 50% in test runs with the same offered load.

Test Configuration

The test configuration was based on a dual-socket Dell R740 with the 2x40G SmartNIC NT200. Traffic was generated by PCAP replay of an actual network traffic capture comprising more than 125K flows with an average packet size of 486 bytes.

Key Solution Features

• Line rate network throughput for all packet sizes
• Lossless capture for perfect inspection and detection
• Onboard packet buffering during micro-burst or PCI Express bus congestion scenarios
• Advanced host memory buffer management for ultra-high CPU cache performance
• Packet classification, match/action filtering and zero-copy forwarding
• Intelligent and flexible load distribution to as many as 64 queues improving CPU cache performance by always delivering the same flows to the same cores

Napatech Link™ Capture Software

The stunning benchmarks for Suricata were powered by Napatech’s Reconfigurable Computing Platform™, based on FPGA-based Link™ Capture Software and Napatech SmartNIC hardware.

Napatech’s Reconfigurable Computing Platform flexibly offloads, accelerates and secures open, standard, high-volume and low-cost server platforms allowing them to meet the performance requirements for networking, communications and cybersecurity applications..

Suricata

Suricata is an ideal example of the type of critical enterprise security application that can achieve better performance through hardware acceleration.

Suricata is a free and open source network threat detection application capable of real time IDS, IPS and network security monitoring.

Suricata is architected with features specifically designed for performance and scalability:

• Multi-threaded code allows a single Suricata instance to utilize multiple CPUs
• Native support for specialized capture cards and hardware acceleration devices

Suricata can be compiled with native support for hardware acceleration based on the Napatech hardware and software. Instructions specific to building Suricata with support for Napatech are listed in the

Napatech Suricata Installation Guide available at: suricata.readthedocs.io

Last updated: July 15, 2022