How Cloud Providers Block DDoS Attacks With FPGA Hardware

If you've ever wondered how massive cloud companies keep their services running when thousands of hacked devices try to take them down at once, the answer involves some seriously specialized hardware. OVHcloud, one of Europe's biggest cloud providers, handles this problem with FPGA cards that can filter through 200 gigabits per second of network traffic per board.

What Actually Happens During a DDoS Attack

Picture this: someone hacks a bunch of internet-connected security cameras, smart fridges, and routers—devices that ship with terrible default passwords. Then they turn all those devices into a zombie army, instructing them to spam requests at a single target server. From the server's perspective, it looks like millions of legitimate users all showed up at once asking for web pages or data.

The server gets overwhelmed trying to respond to everyone and eventually crashes or becomes so slow it's unusable. That's when legitimate customers can't access the service anymore. The attack doesn't need to be sophisticated—it just needs volume.

How OVHcloud Built Their Defense System

OVHcloud runs continuous monitoring across their network infrastructure looking for suspicious patterns. When an attack gets detected—usually within a few seconds—their system automatically reroutes the flood of bad traffic to what they call a "scrubbing" device.

Their scrubbing solution goes by the name VAC, which stands for vacuum. Each VAC unit connects several components together with 600 gigabit Ethernet links. The heavy lifting happens in three specialized "Armor" servers, each equipped with an XUP-P3R FPGA card. 👉 Looking for DDoS-resistant server infrastructure that can handle similar traffic volumes?

These cards pack an AMD FPGA chip with four 100 gigabit Ethernet ports. OVHcloud uses two ports per card, giving them 200 Gbps processing power per server. Multiply that by three Armor servers and you get 600 Gbps of attack-filtering capacity per VAC deployment.

Why FPGAs Instead of Regular Server Hardware

Regular CPUs process instructions one step at a time, which creates a bottleneck when you need to inspect millions of network packets per second. FPGAs are different—they're reconfigurable chips that can be programmed to handle specific tasks in parallel. For network packet inspection, this means examining multiple data streams simultaneously without the delays you'd see with traditional processors.

OVHcloud's implementation uses DPDK, which is open-source software designed to speed up packet processing. The FPGA cards act like specialized network adapters that can make intelligent filtering decisions at wire speed before traffic even reaches the main CPU.

The system also relies on QDR-II+ SRAM memory, which provides the fast lookup speeds needed when checking incoming packets against filtering rules. This type of memory sits between the FPGA's internal memory (too small for complex rule sets) and regular RAM (too slow for real-time filtering).

What This Means for Cloud Security

OVHcloud includes DDoS protection as a standard feature rather than charging extra for it. Their CISO, Stéphane Nappo, put it this way: protecting customers against DDoS attacks should never be an optional service. This "by design" approach to availability relies entirely on FPGA-based network processing.

For other companies looking to build similar defenses, the starting point involves either developing custom FPGA logic from scratch or using pre-built IP blocks that handle the basic networking functions. The SmartNIC Shell approach gives you packet classification tools—some using P4 language, others using C++ HLS—so you can focus on writing the actual filtering logic rather than rebuilding low-level network drivers.

The hardware choice matters too. 👉 Enterprise-grade network infrastructure with high-bandwidth DDoS mitigation capabilities needs support for specialized memory types and multiple high-speed network ports. Cards like the XUP-P3R and XUP-VV8 include QDR-II+ SRAM options specifically for applications where lookup table performance determines whether your defense system works or fails.

The Bigger Picture

DDoS attacks keep getting larger as more devices come online with poor security. The 2016 Mirai botnet attack peaked at 620 Gbps. More recent attacks have exceeded 1 Tbps. Traditional software-based defenses struggle at these scales because CPUs can't inspect packets fast enough.

FPGA-based solutions handle this by moving the inspection logic into hardware that's purpose-built for the task. The trade-off is complexity—programming FPGAs requires specialized knowledge compared to writing normal server software. But for hyperscale providers dealing with constant attack traffic, the performance advantage makes it worthwhile.

If you're running infrastructure that needs to stay online during attacks, the FPGA approach gives you predictable performance even when traffic volumes spike unexpectedly. The key is having enough processing capacity and the right memory architecture to handle rule lookups at line rate without dropping packets.