Case Study

How OVHcloud Uses FPGAs to Mitigate DDoS Attacks

Many BittWare customers use our FPGA-based solutions for network packet processing, including defending quality of service in the presence of cyber attacks or runaway application code. In the case of OVHcloud, a hyperscale cloud provider in Europe, their customers are better protected from Distributed Denial of Service (DDoS) attacks. OVHcloud chose the XUP-P3R card (pictured) to build their most advanced filter for mitigating attacks, handling up to 200 Gbps per board.

What’s a DDoS Attack?

As internet connected devices and bandwidth have grown, a new threat has emerged: Distributed Denial of Service. This attack relies on a large number of typically compromised devices—home IP cameras for example with minimal default security—to be directed by the attacker in a mass attack on a single endpoint. From the target’s perspective, each device appears to be innocently requesting something on the server such as a web page. However, in an attack, the system is flooded with requests, rendering it unstable or unavailable. The system is overloaded, so it can’t process any legitimate requests coming in.

How Does OVHcloud Mitigate DDoS Attacks?

Like all cloud providers, OVHcloud invests in defending its customers against DDoS attacks. Anti-DDoS solutions work by monitoring networks, looking for attacks. It generally takes a few seconds to detect an attack. After detection, the OVHcloud solution updates routing rules to direct suspicious traffic at a “scrubbing” device.

OVHcloud has a uniquely developed scrubbing solution called VAC, which is short for vacuum. Each VAC includes several components interconnected at 600GbE. The most advanced of these components is an array of three “Armor” servers. Each Armor server has a two-socket motherboard stuffed with one XUP-P3R card. The card features an AMD FPGA and four 100GbE ports, with OVHcloud using two of these.

At OVHcloud, we believe protecting customers against DDoS attacks should never be an optional service. That’s the reason why we provide all our customers with an innovative high-performance protection. This “by design” approach of services availability is based on FPGA-based network processing cards from BittWare, part of the Molex group.
—Stéphane Nappo, CISO at OVHcloud

Two 100GbE ports multiplied by three Armor servers gives OVHcloud 600 Gbps of advanced scrubbing potential on each VAC they deploy. The OVHcloud solution also leverages the DPDK.org software infrastructure that BittWare has embraced.

See the OVHcloud page on Anti-DDoS Technology for details on the specific scrubbing functions that OVHcloud Armor performs.

Jumpstart your own solution using BittWare solutions

If you’re interested in creating your own unique anti-DDoS solution like OVHcloud did, you can start with BittWare’s SmartNIC Shell, which is a collection of IP that turns an FPGA card into a DPDK-based network card. Starting with the SmartNIC Shell IP lets you focus on supplying just the anti-DDoS filtering IP rather than starting from scratch. The SmartNIC Shell IP features two different implementations of a packet classifier: one using AMD’s SDNet’s P4 language and the other using C++ HLS.

On the hardware side, a key reason that customers select BittWare for networking applications is our support for QDR-II+ SRAM memory. SRAM has been required for tables too large to fit into internal FPGA memory. Cards with QDR-II+ options include XUP-P3R and XUP-VV8.