When we talk about DDoS mitigation speed, most vendors focus on time-to-mitigate: how quickly they can detect an attack and begin dropping malicious traffic. That metric matters, but it obscures a more fundamental question: how fast can individual packet filtering decisions be made?
At Wirescope, we measure filter initialization in nanoseconds. Here's why that matters, and how we achieve it.
The problem with software-based filtering
Most DDoS mitigation platforms process packets in software — typically using kernel bypass techniques like DPDK or XDP. These are fast by software standards, but they still operate in the microsecond range. When you're dealing with a 2 Tbps attack generating hundreds of millions of packets per second, microseconds add up.
Software-based filtering also suffers from jitter. CPU scheduling, cache misses, and memory allocation all introduce variability that can create micro-bursts of unfiltered traffic during the critical first moments of an attack.
Hardware-accelerated packet processing
Wirescope's filtering pipeline runs on custom ASICs deployed at every PoP. These chips are purpose-built for packet classification and can evaluate complex filter rules against incoming packets in under 50 nanoseconds.
The key innovations:
- Parallel rule evaluation: Our ASICs evaluate all active filter rules simultaneously against each packet, rather than sequentially. This means filter performance doesn't degrade as rule complexity increases.
- Zero-copy inspection: Packets are analyzed in-place on the wire, without being copied to memory. This eliminates the memory bandwidth bottleneck that limits software-based approaches.
- Stateful tracking at line rate: We maintain per-flow state (connection tracking, rate limiting, behavioral fingerprinting) entirely in hardware, using on-chip SRAM. No round-trips to external memory.
Filter initialization
When a new attack vector is detected, the corresponding filter rule needs to be deployed across the network. This is where "nanosecond filtering" comes in.
Traditional approaches require compiling filter rules, distributing them to edge nodes, and loading them into the data plane. This process typically takes seconds — sometimes minutes.
Our approach is different. Filter rules are expressed in a domain-specific language that compiles directly to ASIC microcode. New rules can be loaded into the pipeline without interrupting packet processing, and they take effect within a single clock cycle.
The result: from detection to mitigation in under 100 milliseconds, with individual packet filtering decisions made in under 50 nanoseconds.
What this means in practice
During a recent 1.8 Tbps multi-vector attack against one of our customers, our pipeline processed 340 million packets per second while maintaining sub-50ns per-packet filtering latency. Clean traffic experienced zero added latency. The entire attack was mitigated without a single packet of legitimate traffic being dropped.
That's the difference hardware makes.