Achieving 100Gbps intrusion prevention on a single server

Achieving 100 Gbps intrusion prevention on a single server is a remarkable feat that highlights the potential of modern hardware and innovative system design. This paper, authored by Zhao et al., was presented at OSDI’20 and is now being discussed in a mini-event hosted by Papers-we-love on Wednesday, the 18th. The event features a panel discussion led by the host, with one of the authors, Justine Sherry, participating. Attendees are encouraged to join this engaging discussion to delve deeper into the intricacies of this groundbreaking work.

The concept of achieving such high performance on a single server stems from a combination of Jevon’s paradox and the interconnectedness of systems. Jevon’s paradox, which states that technological progress in one area often leads to increased demand in another, is evident in the need for enhanced security measures as systems become more interconnected. As we improve our capabilities in one area, the demand for security and protection grows, necessitating innovative solutions.

There are three primary ways to increase capacity: increasing the number of units in a system, improving the efficiency of coordinating work across units, and increasing the work done on a single unit. Options 1 and 2 are typically referred to as "scale out," while option 3 is known as "scale up." While scale-out architectures have dominated the cloud era due to their flexibility and scalability, it is essential to periodically revisit the capabilities of a single server or even a single thread.

Pigasus, the Intrusion Detection/Prevention System (IDS/IPS) presented in this paper, exemplifies the potential of scale-up. Traditionally, CPUs have been surrounded by accelerators, with the CPU coordinating and calling out to these accelerators. However, Pigasus inverts this control flow, placing the FPGA at the helm and relegating the CPU to a supportive role. This innovative design allows for unprecedented performance, achieving 100 Gbps intrusion prevention on a single server.

IDS/IPS systems monitor network flows and match incoming packets against a set of rules known as signatures. These signatures can include patterns matching against headers, packet content, exact string matches, and regular expressions. Pigasus's architecture enables it to process these signatures at an astonishing speed, making it a powerful tool in the fight against cyber threats.

The paper's authors have demonstrated that by leveraging the capabilities of a single server and optimizing the interaction between the CPU and FPGA, it is possible to achieve remarkable performance in intrusion prevention. This work not only pushes the boundaries of what a single server can accomplish but also challenges the traditional scale-out approach to system design.

In conclusion, the achievement of 100 Gbps intrusion prevention on a single server is a testament to the potential of innovative hardware and system design. By inverting the control flow between the CPU and FPGA, Pigasus has set a new standard for IDS/IPS systems. This groundbreaking work serves as a reminder that scale-up solutions can offer significant advantages over traditional scale-out architectures, particularly in the context of high-performance security systems. As the demand for robust security continues to grow, solutions like Pigasus will play a crucial role in safeguarding networks and systems against evolving threats.