Update network access control lists 50X faster to protect against DDoS attacks using Algo-Logic’s FPGA-based countermeasures

How do you combat the growing number of distributed denial-of-service (DDoS) attacks? One way is simply to provision your network with a huge number of firewalls to withstand the attack, but that’s a very expensive – and somewhat unworkable – approach. A more economical and practical defense against DDoS attacks involves the creation of an access control list (ACL) with a whitelist of valid addresses and a blacklist of known or suspected malicious addresses. The ACL is then used to program L2/L3 network switches to filter incoming traffic before that traffic hits the network firewall appliances and potentially swamps them.

Use of an ACL is an effective countermeasure, but only if the blacklist can be updated quickly during the onset of a DDoS attack. Algo-Logic Systems has developed just such a countermeasure called Algo-Shield, which can filter through terabytes of incoming network packets to produce an updated ACL in seconds.

Algo-Shield helps to reduce DDoS mitigation latency by offloading the time-consuming computations needed to update a blacklist. Algo-Shield runs on an Intel® Stratix® 10 FPGA installed on an Intel FPGA Programmable Accelerator Card (PAC) D5005, as shown in the figure below.


Figure 1: Algo-Shield accelerates ACL management cycles, creating revised blacklists in seconds instead of many minutes.


In one application, the FPGA-accelerated Algo-Shield workload reduced the ACL-update processing cycle from 12 minutes to 14 seconds. That’s a 50X latency reduction.

To put this response time in perspective, Algo-Logic’s DDoS countermeasure is able to start protecting the network within 14 seconds instead of 12 minutes after the onset of a DDoS attack. For online transaction processing in the cloud, 12 minutes can represent a significant amount of lost business. The faster the network comes back online after the onset of a DDoS attack, the better.

For more information, see the Solution Brief titled “Stop DDoS Attacks before They Disrupt the Customer Experience” on the Intel FPGA Acceleration Hub Web Page.



Legal Notice and Disclaimers

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com.

Intel does not control or audit third-party data. You should review this content, consult other sources, and confirm whether referenced data are accurate.

Cost reduction scenarios described are intended as examples of how a given Intel- based product, in the specified circumstances and configurations, may affect future costs and provide cost savings. Circumstances will vary. Intel does not guarantee any costs or cost reduction.

Intel, the Intel logo, Intel Xeon, Intel Arria, and Intel eASIC are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

Other names and brands may be claimed as the property of others.



Published on Categories Cloud, Networking, StratixTags , ,
Steven Leibson

About Steven Leibson

Be sure to add the Intel Logic and Power Group to your LinkedIn groups. Steve Leibson is a Senior Content Manager at Intel. He started his career as a system design engineer at HP in the early days of desktop computing, then switched to EDA at Cadnetix, and subsequently became a technical editor for EDN Magazine. He’s served as Editor in Chief of EDN Magazine and Microprocessor Report and was the founding editor of Wind River’s Embedded Developers Journal. He has extensive design and marketing experience in computing, microprocessors, microcontrollers, embedded systems design, design IP, EDA, and programmable logic.