123 Main Street, New York, NY 10001

Submit Your BOM

DDoS / IPS Appliance: Match ASICs, PHYs & Telemetry

DDoS / IPS Appliance: Match ASICs, PHYs & Telemetry

← Back to: Telecom & Networking Equipment

A DDoS/IPS appliance is a line-rate packet decision engine: it parses traffic, matches rules and state at worst-case packet rates, then applies deterministic actions (drop/police/redirect) while exporting evidence for verification. Its real success is measured not by headline Gbps, but by 64B Mpps, state/memory stability, and telemetry that can prove “why it dropped” and support safe rollback.

H2-1 · What it is & boundary: DDoS mitigation vs IPS (and what it is NOT)

A DDoS/IPS appliance is a line-rate traffic decision engine placed on or near the network edge to classify packets/flows and apply actions (drop, rate-limit, challenge, or redirect) with evidence-grade telemetry for tuning and field proof.

This page focuses on filter/match ASIC pipelines, multi-port Ethernet PHY I/O, and telemetry loops—not on full NGFW/proxy stacks.

Three practical definitions (engineering view):

  • DDoS mitigation prioritizes capacity control (bps/pps) and availability: absorb floods, keep legitimate traffic moving, and stabilize latency tails.
  • IPS prioritizes attack identification (signature/behavior/state) while keeping false positives and update risk under control.
  • This page covers the data-plane boundary: how match engines, state tables, port I/O, and telemetry determine what can be blocked safely at line rate.

Engineering boundary table (high-level; no cross-topic expansion):

Dimension DDoS mitigation IPS Firewall (high-level) CGNAT (high-level)
Primary objective Keep service up under floods Stop malicious patterns with low mis-block Policy enforcement / segmentation Translation at subscriber scale
Dominant bottleneck Mpps @ 64Bburst bufferingaction fan-out match coststate scalerule update safety policy depthsession tracking table scalelogs
Inspection depth L3/L4 + limited L7 hints (selective) Signatures/behaviors; may require visibility of key fields App/policy classification (high-level) Translation metadata (high-level)
State dependence Optional/limited (often rate + anomaly + sketches) Often strong (conn/flow state, counters, time windows) Strong (sessions/policy) Strong (mapping state)
Update risk Lower if actions are coarse; higher if many exceptions Higher: signatures/thresholds can spike false positives Medium–high Medium (operational)
Evidence must-have pps/bpstop talkersdrop reason per-rule hitdrop reasonversioned rules policy logs translation logs

Practical use: when throughput looks “fine” in Gbps but fails under real attacks, the root cause is usually Mpps, state pressure, or missing evidence (no stable “why it dropped”).

Not in scope (kept intentionally out of this page):

  • Full NGFW/proxy feature stacks, user policy engineering, and controller/orchestration architecture.
  • Subscriber/NAT/BRAS-scale designs, routing protocol internals, and optical transport subsystems.

References to those areas should remain as brief pointers via internal links, not as expanded sections.

Figure F1 — Boundary map: where a DDoS/IPS appliance sits
Security data-plane boundary DDoS Rate Anomaly Scrub Goal: Availability IPS Signature State Evidence Goal: Block attacks Firewall Policy App-ID Zones CGNAT Translate Scale Logs This page: DDoS + IPS data-plane hardware
Design intent: enforce a clean boundary—only DDoS/IPS data-plane elements are expanded in this page.

H2-2 · Deployment topologies: inline, bypass, out-of-path, and diversion (BGP high-level only)

Topology choice determines what can be enforced, how failures behave, and what evidence exists when an incident occurs. The same match pipeline can behave “great” in a lab but fail operationally if return paths, bypass behavior, or telemetry coverage are not engineered.

The four deployment patterns below are described by engineering outcomes (latency tail, fail-open/closed, path consistency), not by routing-protocol internals.

1) Inline (bump-in-the-wire) strong enforce

  • Strength: deterministic enforcement (drop/rate-limit/redirect) for all traversing traffic.
  • Engineering focus: latency tails (P99/P999), microburst buffering, and “under-attack” behavior—not just average latency.
  • Operational risk: software updates and rule activations must be staged/rollback-safe to avoid service disruption.

2) Inline with hardware bypass resilience

  • Purpose: define failure semantics: fail-open vs fail-closed, and preserve link continuity on power loss or watchdog events.
  • Must-have evidence: bypass-trigger logs + timestamped events; otherwise field incidents cannot be reconstructed.
  • Critical metric: bypass switching time and “what traffic is protected/unprotected during the switchover window”.

3) Out-of-path (TAP/SPAN + control injection) observe

  • Best for: detection and forensics when the network cannot tolerate inline risk.
  • Limitations: mirror paths may drop/samplerate packets; detection becomes biased under congestion.
  • Common pitfall: “looks blocked” in dashboards but enforcement misses real traffic due to asymmetric paths or incomplete mirrors.

4) Diversion (high-level) scrub & return

  • Idea: divert suspect traffic to a scrubbing appliance/cluster, then return clean traffic back to the network.
  • Engineering focus: return-path consistency, rollback triggers, and measurable “time-to-mitigate” under attack.
  • Scope note: only interface-level outcomes are covered here; routing protocol mechanics are intentionally out of scope.

Deployment acceptance checklist (what to validate before production):

  • Latency tails: measure P50/P99/P999 under mixed background traffic + attack load (not just no-load).
  • Failure semantics: confirm fail-open/closed + bypass switching time + event logging is complete and timestamped.
  • Path consistency: verify symmetric return for diverted/filtered flows; confirm enforcement hits “real” traffic, not just mirrors.
  • Evidence chain: confirm drop reason counters and rule-version identifiers survive incidents and can be exported reliably.
Figure F2 — Four deployment topologies (engineering outcomes)
Inline Inline + Bypass Out-of-path (TAP/SPAN) Diversion (scrub & return) Upstream Switch DDoS/IPS Service Upstream Switch DDoS/IPS Svc Upstream Switch Service DDoS/IPS Monitor Mirror Edge Network Scrubber Svc Divert Return
Diagram rule: keep labels minimal and focus on operational outcomes (enforce vs observe, bypass behavior, diversion + return consistency).

H2-3 · Data-plane pipeline: parse → classify → decide → act

A DDoS/IPS appliance succeeds or fails at line rate based on a simple rule: throughput is limited by the slowest stage. The data-plane is a fixed pipeline that must complete parsing, feature extraction, matching, and actioning within a strict per-packet budget.

Key KPI: pps (Mpps) is the first-order limit (especially at 64-byte packets), while Gbps alone can hide bottlenecks.

Stage 1 — Ingress & Parser

What it does: decapsulates and parses headers (L2–L4; optional fixed-offset L7 hints).

Budget pressure: deeper stacks (VLAN/QinQ, MPLS, IPv6 extensions) increase per-packet work.

Failure signature: Mpps collapses on “header-heavy” traffic even when large-packet Gbps looks fine.

Stage 2 — Classify & Key Build

What it does: builds keys (5-tuple, VLAN/MPLS, DSCP, custom selectors) and normalizes metadata.

Trade-off: coarse keys reduce state but widen blast radius; fine keys improve precision but explode table size.

Failure signature: rule changes swing false-block rate because the key granularity is misfit.

Stage 3 — Decide (Match + Score)

What it does: applies ACL/LPM, exact tables, behavioral counters, and scoring to produce a decision.

Budget pressure: memory touches and multi-engine lookups dominate; worst-case paths define capacity.

Failure signature: latency tails grow under attack as tables thrash or hot buckets collide.

Stage 4 — Act (Drop / Police / Shape / Redirect)

What it does: executes actions: drop, rate-limit (police), queue/shape, challenge/redirect, or tag.

Hidden cost: shaping/redirect often introduces buffering + state writes, creating tail latency risk.

Failure signature: match looks stable, but queues saturate and P99/P999 latency spikes.

Practical performance metrics (what to measure and why):

  • Mpps at 64B sets the ceiling for flood defense. If Mpps fails, “400G” marketing numbers are irrelevant.
  • Stage budget matters more than total compute: each stage must finish within its per-packet window.
  • Latency tails under attack (P99/P999) reveal queueing, table thrash, and expensive action paths.

Rule of thumb: if Gbps looks fine but drops appear only on small packets, suspect parser and match/memory stages first.

Figure F3 — Data-plane pipeline and the “slowest stage wins” rule
Parse → Key → Match → Decide → Act (line-rate pipeline) Throughput ≈ min(stage capacity) Ingress Multi-port I/O Parser L2–L4 (+ hints) Key Build 5-tuple VLAN/MPLS DSCP / tags Output: metadata Match ACL LPM Hash Score hits / scores Action Drop Police Shape / Redirect Egress to ports / uplink KPI: pps (64B) + tail latency under attack
Interpretation: improving a single block is useless if another stage becomes the limiting bottleneck.

H2-4 · Match engines: how “filter/match ASICs” actually match at line rate

“Matching” at line rate is not one technique. Practical appliances combine multiple engines so that expensive work is only triggered for a small subset of traffic. The core design problem is balancing: scale, update safety, per-packet cost, and error tolerance.

Typical pattern: approximate pre-filterexact trackingselective deep pattern (only when needed).

1) LPM / ACL (rule match)

Best for: prefixes, ranges, and multi-field policy filters.

Engineering cost: capacity is expensive; priority/overlap management affects update risk.

Failure signature: rule growth forces compression/splitting, increasing complexity and false blocks.

2) Exact match (hash tables)

Best for: large exact-key sets (flows, hosts, allow/deny lists).

Engineering cost: memory touches + collision behavior define tail latency under flood.

Failure signature: hot buckets/collisions cause jitter and uneven throughput across traffic mixes.

3) Regex / string patterns (selective)

Best for: deep patterns on a narrowed traffic subset.

Engineering cost: state-machine work is expensive; “always-on” deep matching breaks Mpps budgets.

Failure signature: enabling deep patterns drives P99/P999 latency and reduces headroom for floods.

4) Approximate structures (Bloom / Sketch)

Best for: fast pre-filtering, heavy-hitter detection, and anomaly hints at scale.

Engineering cost: controlled false positives; requires a second stage to confirm before blocking.

Failure signature: poor window/threshold tuning amplifies false positives and overloads exact stages.

Engineering trade-offs (decision checklist):

  • Rule scale: how many entries must be active simultaneously (and at what granularity)?
  • Update frequency: how often rules change, and how quickly rollback must restore safe behavior.
  • Per-packet work: number of lookups and memory touches on the worst-case packet path.
  • Error tolerance: whether controlled false positives (approximate pre-filters) are acceptable with exact confirmation.

Operational principle: keep deep/expensive matching gated behind cheap pre-filters and exact confirmation.

Figure F4 — Four match engines and what they output (hit vs score)
Match engines: TCAM / Hash / Regex / Sketch Inputs Prefix / ranges 5-tuple keys Bytes (subset) Counters / time Goal: produce hit/score TCAM ACL / LPM Output: Hit Hash Exact table Output: Hit / state Regex Deep patterns cost ↑ Output: Hit / score Sketch Approx detect fast Output: Suspect set Best practice: approx pre-filter → exact confirm → selective deep patterns
Use the outputs differently: Hit can trigger immediate actions; Score/Suspect set should gate deeper checks or exact confirmation.

H2-5 · State & memory: conn tables, counters, queues—why memory dominates

In real DDoS/IPS appliances, performance limits often come from state and memory behavior, not raw compute. Each packet can trigger multiple table lookups and updates (timestamps, counters, queueing), and the number of memory touches on the worst-case path is what collapses Mpps under stress.

Practical rule: if large-packet Gbps looks healthy but small-packet Mpps and latency tails fail, suspect state tables and buffers first.

State object 1 — Conn / flow tables

What it stores: 5-tuple state, last-seen timestamps, timeouts, SYN/ACK tracking, per-flow flags and scores.

Why it hurts: lookups are frequent and updates are write-heavy (last-seen, counters), especially under churn.

Typical failure: table full → eviction/jitter → false blocks or missed detection on new flows.

State object 2 — Counters (per-flow / per-prefix)

What it stores: rate/threshold counters, windowed statistics, heavy-hitter candidates and anomaly scores.

Why it hurts: high update frequency turns into write amplification; hot keys create uneven load.

Typical failure: wrap / window mismatch → thresholds misfire and block reasons “don’t match reality.”

State object 3 — Queues & buffers

What it stores: microburst absorption, shaping/policing queues, redirect staging, and packet buffering.

Why it hurts: buffering creates tail latency; a single blocked class can trigger head-of-line blocking.

Typical failure: queue depth spikes → P99/P999 latency jumps → drops appear “random.”

Why memory hierarchy matters

TCAM: rule-style matching (ACL/LPM); deterministic but capacity-expensive.

SRAM: fast metadata + hot state; low latency, limited capacity.

DDR/HBM: large state and history; high capacity, but random access is costly under attack churn.

Takeaway: capacity vs latency trade-offs shape the worst-case path, not the average case.

Failure signatures (symptom → likely root cause):

  • Table full → jitter / misses: occupancy peaks, evictions rise, new-flow behavior changes abruptly.
  • Rehash storm / hot buckets: collision pressure increases; latency tails grow despite stable average throughput.
  • Counter anomalies: wrap or window tuning issues create false triggers and inconsistent drop reasons.
  • Queue explosion / HOL blocking: microbursts saturate buffers; drops correlate with queue depth and wait time.

Telemetry that helps: table occupancy/evictions, collision indicators, per-reason drop counters, queue depth and queue wait time.

Figure F5 — “Memory wall”: which state maps to which memory (capacity vs latency)
State & memory mapping (memory wall) Capacity Latency trade-offs Data-plane Parser Match Flow state Counters Queues / buffers Failure signatures: occupancy ↑ · collisions ↑ · evictions ↑ · queue depth ↑ Memory wall TCAM SRAM DDR / HBM large state · history Packet buffer queues · microbursts parser rules hot lookups large state queueing
Interpretation: worst-case behavior is shaped by memory touch count, randomness, and queue depth—not by average compute utilization.

H2-6 · Crypto offload in DDoS/IPS: where it helps, where it doesn’t

Crypto offload helps when encryption work would otherwise consume the main packet path. But it does not automatically solve state-table pressure or buffering issues. The key boundary is visibility: pass-through keeps payload encrypted while optional termination enables deeper inspection at the cost of session and key-path complexity.

Within this appliance scope, crypto discussion stays at: offload placement, session scale, key loading rate, and failover behavior.

Where offload sits

MACsec: link-layer protection near ports; line-rate friendly, changes what headers remain visible.

IPsec: tunnel-layer protection; session/SA scale and replay windows matter under flood churn.

Optional TLS termination: mentioned only as a visibility/performance boundary (no proxy-stack details).

Helps vs doesn’t

Helps: shifts crypto compute and packet handling away from general processing paths.

Doesn’t: remove the need for state tables, counters, and queues; memory wall can remain the true bottleneck.

Practical design: use encrypted pass-through for scale; reserve termination for narrowed traffic.

Engineering KPIs

Handshake / new-session rate: how many sessions can be established per second under load.

Session table scale: maximum concurrent sessions and safe timeout behavior.

Key load / rotation rate: how quickly keys can be provisioned or rotated without traffic disruption.

Failover & telemetry

Failover behavior: what happens if the offload path fails (pass-through, drop, or degraded mode).

Telemetry must-have: decrypt failures, session misses, key-not-ready, and offload bypass counters.

Goal: ensure operators can attribute outages to sessions/keys vs state/queues.

Figure F6 — Crypto offload block (optional): encrypted pass-through vs terminate+inspect
Crypto offload (optional) — two paths Ingress Parser Crypto Offload (optional) Session Keys Match Action Encrypted pass-through metadata · behavior · rate no payload visibility Terminate + inspect Session table Key store offload engine · complexity ↑ Operator KPIs: new-session rate · session scale · key load rate · failover behavior
Interpretation: termination can improve visibility but shifts the bottleneck to sessions, keys, and failover semantics.

H2-7 · Multi-port Ethernet PHYs & timing: throughput, latency, and worst-case packets

A DDoS/IPS appliance lives at the boundary where ports become packets. Multi-rate Ethernet ports (10/25/50/100/200/400G) are only “usable” when the PHY chain keeps the link stable and predictable. The practical objective is to keep BER events from amplifying into retries, jittery latency, and misleading measurements upstream.

This section stays at the appliance port-to-pipeline boundary (PHY / retimer / PCS-FEC → packet I/O). It does not describe switch/router architectures.

PHY chain roles (what can be verified)

PHY: turns line signaling into stable symbols; link errors show up as retries, drops, or unstable counters.

Retimer: restores margin so high-speed lanes stay clean under real layouts and optics/cables.

PCS/FEC: reduces error amplification, but may add latency and change tail behavior under stress.

Verify: port utilization + error indicators + corrected/uncorrected events + drop-by-reason alignment.

Worst-case is Mpps, not Gbps

Why it matters: a link can look “fine” on large packets but fail at full line rate with min-size packets.

What to test: compare Mpps @ min-size vs Gbps @ large packets on identical policies.

Red flag: stable Gbps with collapsing Mpps usually indicates per-packet overhead or buffering pressure.

Burst absorption & buffering symptoms

Microbursts: short spikes can overflow buffers even if average utilization is moderate.

What to watch: queue depth spikes, short-lived drops, and tail latency jumps.

Goal: correlate port bursts to queueing and drop reasons (not just “link up/down”).

Timing impact (only the appliance view)

FEC latency: extra processing can shift P99/P999 latency and distort “when” events appear.

Timestamp quality: jitter and unstable paths reduce confidence in packet timing evidence.

Verify: timestamp variance under load and whether exported time aligns with drop counters.

Figure F7 — Multi-port ports → PHY/Retimer/PCS-FEC → Packet I/O → Pipeline (worst-case = min-size packets)
Multi-port Ethernet boundary (ports → packets) Worst-case: min-size @ line rate Ports 10–400G Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 Port 8 Port 9 Port 10 PHY chain PHY Retimer PCS / FEC Packet I/O Ingress DMA Packet parser Pipeline Verify: Mpps vs Gbps · burst · FEC latency Timing impact: timestamp quality under load
Interpretation: link stability can hide errors, but worst-case packets and buffering expose per-packet limits and tail-latency effects.

H2-8 · Telemetry & evidence: counters, sketches, timestamps, and “why it dropped”

Telemetry is not optional in a DDoS/IPS appliance. Without a tight evidence loop, it is impossible to prove effectiveness or avoid false blocks. The minimum requirement is explainability: every action needs a clear “why it dropped” reason that correlates with time, samples, and policy versions.

This section focuses on appliance-level counters and export/feedback loops, not on SIEM/SOC architecture.

Minimum viable telemetry

Per-rule hit: rule-level counters that show what actually matched.

Per-action reason: drop / rate-limit / redirect reasons as separate buckets.

Traffic shape: pps/bps, SYN rate, fragment/ICMP anomalies, and min-size pps indicators.

Structure signals (fast but informative)

Top-N talkers: “who dominates” at any moment (watch sampling bias).

Entropy: distribution changes that often precede volumetric floods.

Sketches (high-level): approximate heavy hitters to narrow down what to inspect deeper.

Evidence chain (for replay and audit)

Timestamps: align events and exports in time.

Samples: packet snippets or sampled flows to validate decisions.

Logs + policy versions: preserve “what changed” and enable rollback decisions.

Why it “looks stable” but is wrong

Sampling bias: partial visibility mislabels top talkers and rates.

Mirror loss: SPAN/TAP drops under load create survivor bias.

Time/export issues: unsynced clocks or export congestion shift evidence out of alignment.

Closed-loop workflow (what to enforce):

  • Detect: anomaly triggers (pps/bps, entropy, SYN rate, heavy hitters).
  • Verify: correlate drop reasons with timestamps and packet samples.
  • Adjust: tune thresholds/rules with a recorded policy version and rollback plan.
  • Deploy: measure the before/after delta in false blocks, misses, and tail latency.

If “why it dropped” cannot be reconstructed later, the appliance becomes a black box and operational risk rises quickly.

Figure F8 — Telemetry tap → export → collector → feedback loop (detect → verify → adjust → deploy)
Telemetry & evidence loop (explain “why it dropped”) Data plane Match + actions Counters per-rule hit · drop reason Evidence timestamps · samples · logs Telemetry tap top-N · entropy Export gRPC NetFlow IPFIX Collector correlate why dropped Feedback rule tuning · thresholds · policy version Loop: Detect Verify Adjust Deploy explainability: “why it dropped”
Interpretation: evidence quality depends on aligned time, unbiased samples, and per-reason counters—otherwise “stable” dashboards can still be wrong.

H2-9 · Rule lifecycle: safe updates, rollback, and blast-radius control

A DDoS/IPS appliance must change continuously (rules, signatures, and detection models) without turning production traffic into a test bench. The device-side lifecycle should treat every change as a versioned artifact that is staged, activated, validated, and either promoted or rolled back using objective signals.

This section describes device-side mechanisms only (compile/stage/activate/monitor/rollback). It does not describe SDN or centralized controller architectures.

Lifecycle pipeline (device-side)

Draft: candidate policy artifact (rule/signature/model) prepared for build.

Compile: normalized + validated into a device-executable form with sanity checks.

Stage: distributed to the device but not yet affecting traffic.

Activate: an explicit cutover point that is logged and traceable.

Monitor: evidence collection to confirm effects (drop reasons, latency, resources).

Promote / Rollback: finalize as stable or revert immediately.

Blast-radius control (canary rollout)

By port: enable on a subset of ingress ports first.

By prefix / service group: apply only to a limited traffic slice.

By traffic class: restrict scope using coarse classifiers (low-risk first).

Goal: changes should be observable and reversible before full exposure.

Version alignment (avoid false conclusions)

Policy version: the exact rule/model build ID used for decisions.

Telemetry schema: counter names, drop-reason enums, sampling modes.

Requirement: every event export and log record should carry both versions so “before/after” comparisons remain valid.

Fast rollback (objective triggers)

False blocks ↑ (normal traffic impacted beyond baseline).

P99 latency ↑ (tail behavior degrades after activation).

CPU/Mem ↑ (state pressure or reprocessing spikes).

Rollback action: revert to last stable artifact or a reduced “low-risk” set.

Operational minimum: “Activate” must be a single, logged cutover point. “Rollback” must restore the previous behavior without manual rebuild.
Figure F9 — Rule lifecycle state machine with rollback triggers
Device-side rule lifecycle (safe updates + rollback) Draft Compile Stage Activate Monitor drop reasons · latency · resources Rollback restore stable version Promote mark as stable False blocks ↑ P99 latency ↑ CPU/Mem ↑ Align versions: policy_version + telemetry_schema
Interpretation: controlled activation plus objective rollback triggers reduces operational risk and prevents large blast-radius failures.

H2-10 · Validation & test: replay, traffic generation, and measuring false positives/negatives

Validation must prove three things: functional correctness, performance limits, and detection quality. A result is not “done” until throughput and latency are measured under the worst-case packet mix and the false-block / miss rate is quantified with reproducible evidence.

This section focuses on test methods and acceptance metrics around a DDoS/IPS appliance. It does not describe production network orchestration.

Layer 1 — Functional correctness

Actions: drop / rate-limit / redirect / tag should match the intended policy behavior.

Explainability: “drop reason” buckets must be stable and traceable to the active version.

Cross-check: per-rule hits align with injected traffic slices and expected matches.

Layer 2 — Performance limits

Must test: 64B min-size Mpps and mixed packet sizes under sustained load.

Must test: burst/microburst behavior (queue spikes, transient drops).

Measure: bps + pps, loss curve, and latency distribution (P50/P99/P999) with jitter.

Layer 3 — Replay + background mix

Attack replay: PCAP replay provides ground truth for detection outcome comparisons.

Background mix: representative normal traffic prevents “clean lab” overfitting.

Goal: verify policy effects under realistic interference and timing.

False positives / false negatives (quantify)

False positive: normal traffic impacted by actions (count and rate by service slice).

False negative: injected attack traffic not blocked or not tagged as expected.

Method: compare ground truth labels to per-reason counters and sampled evidence.

Acceptance checklist (example structure):
  • Worst-case: min-size packet Mpps meets target under the intended policy set.
  • Latency: P99/P999 remains within budget for the background mix.
  • Quality: false blocks and misses are measured against labeled replay data.
  • Evidence: drop reasons + timestamps + samples + versions support a complete after-action review.
Figure F10 — Testbed: traffic generation → DUT → sink + tap → analyzer/collector (counter compare)
DDoS/IPS validation testbed (replay + mix + evidence) 64B Mpps P99 / P999 FP / FN Drop reasons Traffic Gen Replay pcap labels Background mix normal traffic Packet size mix 64B … jumbo DUT DDoS / IPS Appliance policy version + drop reasons Sink throughput + loss Tap Analyzer Collector + counter compare Latency probe (P50/P99/P999)
Interpretation: reproducible replay + background mix enables FP/FN measurement, while worst-case packets and tail latency quantify performance risk.

H2-11 · BOM / IC selection checklist: criteria + example part numbers

This checklist is intentionally criteria-first, but it also includes example PNs as searchable anchors. The goal is to keep selection tied to the appliance’s real bottlenecks: 64B pps, match depth, state/memory pressure, and telemetry evidence.

Example PNs are not endorsements. Final selection depends on throughput targets, rule/state scale, latency budget, power/thermal limits, and supply constraints.

1) Data plane engine (filter/match ASIC / NPU / FPGA)

  • Line-rate in worst case: validate Mpps at 64B (not only “Tbps”).
  • Rule scale & type: LPM/ACL/Exact + optional regex/substring depth; clarify “active” vs “stored” rules.
  • Rule update churn: update latency and whether updates stall data plane.
  • Per-packet budget: feature extraction + match + action cycles/packet; identify stage bottlenecks.
  • State pressure: flow tables/counters and how timeouts/rehash behave under attack.
  • Action set: drop/police/shape/redirect/tag plus deterministic “drop reason” emission.
  • Power: W per Gbps/Mpps; throttling behavior under thermal limit.

Example PNs (searchable references):

  • Marvell OCTEON TX2 DPUCN92xx / CN96xx / CN98xx (security accel + DPI class capabilities).
  • Broadcom Stingray SoCBCM58800 (integrated NIC + compute offload class reference).
  • Intel IPU ASICE2000 (programmable packet processing offload reference).
  • FPGA route (family-level anchor) — use when rule/pipeline changes are frequent; validate pps/latency with real images and update path.

2) State & memory (tables, counters, queues)

  • State sizing: max concurrent flows, timeouts, SYN tracking, per-prefix/per-rule counters.
  • Memory wall mapping: which structures sit in TCAM/SRAM vs DDR/HBM; confirm latency sensitivity.
  • Update concurrency: counter increments + table inserts under load (avoid “rehash storms”).
  • Queue/buffer behavior: microburst absorption vs added latency; define drop policy under saturation.
  • Failure modes: table-full oscillation, counter wrap, buffer bloat → tail latency explosion.

Example “PN anchors” (keep this minimal on purpose):

  • DDR5 (device-class anchor) — choose by capacity, bandwidth, and temperature grade; validate state table + export buffering together.
  • TCAM/SRAM (function-class anchor) — verify rule depth, bank behavior, and update impact on forwarding.

Memory PNs vary heavily by platform integration; the higher-value checklist is the table/queue sizing and failure-mode verification.

3) Multi-port Ethernet PHY / retimer / PCS-FEC

  • Port density: 10/25/50/100/400G mix and lane counts; verify SerDes speed class (NRZ vs PAM4).
  • FEC impact: added latency + burst tolerance; confirm what is terminated/regenerated on the board.
  • Link stability: BER margin, eye/PRBS diagnostics, error counters and reporting granularity.
  • Retimer necessity: channel loss budget (connectors/backplane/cable) and jitter tolerance.
  • Worst-case packets: confirm packet I/O path sustains min-size pps without hidden head-of-line stalls.

Example PNs (searchable references):

  • Marvell Alaska C PHY88X7120 (112G PAM4 PHY reference class).
  • TI retimerDS280DF810 (8-channel multi-rate retimer reference class).

4) Telemetry/export + evidence + OOB management

  • Export throughput: telemetry pipeline must not congest under attack (buffering + loss handling).
  • Evidence chain: per-rule hit, per-action drop reason, timestamps, policy version ID, sampling mode.
  • Counter semantics: granularity, reset/rollover behavior, and correlation to replay labels.
  • Time alignment: timestamp quality sufficient to correlate “why it dropped” with traffic events.
  • OOB security: secure boot + firmware integrity for management path.

Example PNs (searchable references):

  • ASPEED BMCAST2600 (OOB management controller anchor).

5) Power sequencing, hot-swap, thermal controls

  • Sequencing: deterministic rail order, reset gating, and fault latching with logs.
  • PMBus observability: voltage/current/temperature + event history; align with telemetry evidence.
  • Hot-swap/inrush: safe insertion/removal and controlled ramp; verify behavior during brownouts.
  • Thermal redundancy: fan control + sensors; derating strategy to avoid sudden packet drops.
  • Fault policy: define fail-open/fail-closed decisions for data ports vs management.

Example PNs (searchable references):

  • TI PMBus sequencer/monitorUCD90120A (multi-rail sequencing + monitoring).
  • ADI hot-swap controllerLTC4282 (inrush control + I²C monitoring).

“Do not get fooled by datasheets” — verification checklist

  • “400G / Tbps line rate” must be paired with 64B min-size Mpps under the intended rule set.
  • Rule count must clarify: active vs stored, bank behavior, update stalls, and worst-case action path.
  • Crypto support must clarify: pass-through vs terminate+inspect, session table scale, and key/firmware trust path.
  • Telemetry support must clarify: export backpressure, sampling bias, counter granularity, and timestamp alignment.
  • Thermal limits must clarify: throttling mode and whether it silently degrades packet handling or telemetry.
Figure F11 — Modular BOM tree: data plane / memory / ports / telemetry / power
BOM tree (criteria-first) for DDoS / IPS Appliance DDoS / IPS Appliance match · state · ports · telemetry power · thermal · evidence Data Plane • 64B Mpps • rule types • update churn • action set Memory • state scale • table-full modes • queue/buffer • rehash storms Ports • density / lanes • FEC latency • BER diagnostics • retimer need Telemetry • drop reasons • export throughput • timestamps • version IDs Power & Thermal • sequencing • PMBus logs • hot-swap/inrush • derating policy Tip: Always validate “Tbps” with 64B Mpps + active rule set + telemetry export under stress
Interpretation: a usable BOM is a bottleneck map—each module is chosen to preserve worst-case pps and to explain decisions with evidence.

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

FAQs — DDoS / IPS Appliance (traffic-filter/match ASICs, PHYs, telemetry)

Short, engineering-focused answers. Scope stays on device-side data plane, match/state scaling, observability, and validation.

1) DDoS mitigation and IPS—where is the practical boundary in appliances?H2-1
DDoS mitigation is optimized to survive floods: rate/anomaly handling at L3/L4 (and limited L7 signals) to keep services reachable under extreme pps/bps. IPS focuses on identifying malicious behaviors (signatures/heuristics/stateful patterns) while minimizing false blocks. Many appliances combine both, but the design center differs: capacity-first scrubbing versus precision-first blocking with evidence and rollback.
2) Inline vs out-of-path: when does monitoring mode fail to stop real attacks?H2-2
Out-of-path (TAP/SPAN) sees traffic but cannot reliably enforce actions on the forwarding path, so it cannot stop volumetric floods or fast scans without a separate enforcement point. Inline deployments can drop/police/redirect at line rate, but they must handle reliability: bypass/fail-open behavior, cutover time, and deterministic action under fault conditions. If enforcement is required, monitoring-only modes are insufficient by design.
3) Why does a box meet Gbps throughput but fails on Mpps (64B packets)?H2-3/H2-7
Gbps headline numbers hide per-packet fixed costs. With 64B packets, the limiting factor is packets-per-second and the per-stage cycle budget (parse → feature → match → action). A single slow stage caps end-to-end throughput. Port-side “worst case” is min-size packets at full line rate, often exposing parser/match/action bottlenecks, queue contention, or telemetry taps. Validate using 64B + mixed sizes with the real active rule set.
4) TCAM vs hash vs regex engines—what breaks first as rules scale?H2-4/H2-5
Different engines fail differently. TCAM hits capacity/power and can become expensive to update at high churn. Hash tables scale for exact matches but can suffer from collisions, rehash storms, or worst-case lookup variability under attack patterns. Regex/multi-pattern matching is compute/state heavy and often becomes the first throughput victim. As rule sets grow, memory bandwidth and update concurrency (counters/state) frequently dominate, not raw compute.
5) Why do conn tables “melt down” under SYN floods or scan storms?H2-5
SYN floods and scan storms maximize state churn: rapid allocations, short timeouts, and heavy counter updates. Once tables approach saturation, systems can oscillate—evicting, re-inserting, and triggering rehash/compaction work that steals bandwidth from the data plane. Typical symptoms include rising tail latency, jitter, and unstable drop behavior. The fix is device-side: control state creation, isolate half-open tracking, and design for graceful “table-full” behavior with clear drop reasons.
6) How to rate-limit without killing legitimate bursts (token bucket pitfalls)?H2-3/H2-5
Token buckets are easy to misconfigure because legitimate traffic is bursty and microbursts are amplified by buffering. If burst size is too small, normal fan-in events get penalized; if too large, attacks slip through before policing reacts. Rate limiting must be evaluated together with queue/buffer dynamics and per-class policies, not as a single knob. Safe practice is staged rollout, per-slice thresholds, and validation with mixed background traffic plus attack replay.
7) Does decrypting traffic always improve security, or just destroy performance?H2-6
Decryption increases visibility for deeper inspection, but it can also shift the bottleneck to session tables, handshake rate, key handling, and failure behavior. Encrypted pass-through limits inspection to metadata and behavioral signals, but it preserves throughput and simplifies trust boundaries. The decision should be metric-driven: handshake pps, concurrent sessions, key load/update rate, and deterministic behavior during faults. In many appliances, selective termination is safer than universal termination.
8) How to prove drops are correct (drop reason, evidence chain, replay)?H2-8/H2-10
“It dropped” is not evidence. A defensible decision needs a chain: (1) a stable drop-reason taxonomy, (2) timestamps aligned to exported telemetry, (3) policy/version identifiers, and (4) optional samples that confirm match context. Replay testing closes the loop: labeled pcap replays plus realistic background mix should reproduce counters and drop reasons within expected tolerances. Without this, troubleshooting becomes guesswork and false positives go unnoticed.
9) Why do false positives spike after rule updates, and how to rollback safely?H2-9
False positives spike when a new rule widens coverage, changes thresholds, or increases state pressure so that benign flows resemble attack signatures under load. Safe updates are device-side: compile and stage artifacts, activate with canary scope (ports/prefixes/service slices), and monitor objective signals (false blocks, P99 latency, CPU/memory watermarks). Rollback must restore the last stable artifact quickly, and telemetry must carry policy version and schema IDs to make comparisons valid.
10) What telemetry signals best indicate a real attack vs a flash crowd?H2-8
Single metrics mislead. Attacks often show abnormal distributions: sudden entropy changes in source IPs, SYN/ACK imbalances, fragment/ICMP anomalies, or extreme top-N talker concentration. Flash crowds can raise pps/bps but usually preserve “normal” protocol and timing structure. The most useful view is multi-signal: per-action drop reasons, pps/bps, top talkers, entropy, and time-aligned event logs. Also account for sampling bias and exporter congestion to avoid false conclusions.
11) How to design validation tests that correlate with field reality (pcap mix, latency tails)?H2-10
Field-correlated validation requires three layers: correctness, limits, and quality. Measure worst-case pps using 64B packets and mixed sizes under the active rule set. Use labeled pcap replays for attack flows and blend with realistic background traffic to expose interference effects. Report latency distributions (P50/P99/P999) and jitter, not just averages, and quantify false positives/negatives by comparing ground-truth labels to drop-reason counters and evidence samples.
12) What selection criteria matter most for a DDoS/IPS appliance BOM?H2-11
The BOM should map to bottlenecks. Data-plane engines must sustain min-size Mpps with the intended match depth and update churn. Memory must support state/counters/queues without table-full oscillation or rehash storms. Multi-port PHY/retimer choices must preserve link stability and bound FEC/retiming latency while providing diagnostics. Telemetry/export must survive attack conditions (buffering and loss handling) and preserve evidence (timestamps, drop reasons, version IDs). Power/thermal design must avoid throttling that silently degrades packet handling.

Tip: For SEO, keep question text consistent between on-page FAQ and JSON-LD, and keep answers concise and verifiable.

icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.