Hashcache Core

A hardware accelerated key-value store for stateful network devices and caches with high DDoS attack resilience.

Synopsis

Introducing the Synogate HashCache IP-core

Synogate HashCache is a hardware implementation of a key-value store with cache-like storage management. 100+ million requests per second and a very high insertion rate make HashCache the ideal state storage for stateful firewalls, network address translators, web or database caches, and other stateful network devices that must operate and perform in untrusted networks. In addition, its sub microsecond latencies make HashCache the storage solution of choice in all applications where latency matters, such as high speed trading.

Product Brief Contact Us

Application

  • Web-caches
  • Stateful firewalls
  • Network intrusion detection systems (NIDS)
  • Carrier-grade network address translation (NAT)
  • Database acceleration
  • High frequency trading
  • High bandwidth, high connection count hardware TCP server

Features

  • High read throughput
  • High insertion rate
  • Guarantees on retention time
  • Low latency, as low as 200 nano-seconds
  • Internal or external storage including DRAM support
  • Energy consumption < 1 micro-joule per request
  • Low storage overhead

Key Benefits

  • Very resilient to DDoS with crafted traffic
  • Keeps high throughput even in write/update-heavy use cases and situations
  • More usable storage space due to low storage overhead
  • Significant power savings resulting in reduction of Total Cost of Ownership (TCO)

Details

Why write throughput matters

The massive growth in network bandwidth of 50% per year and the lack of growth in computing capabilities pose high demands on network appliances, especially those that need to hold and manage state. Stateful network devices, such as stateful firewalls or network address translators (NATs), must store and subsequently retrieve information of previous decisions to act coherently. This retrieval, update, and potential replacement of old entries must keep pace with the throughput of the network device.

A single 100 GiB/s Ethernet connection can transfer more than 209 million packets per second in each direction. Depending on the application scenario, the rate of requests to a network device’s state storage may be the same. What makes matters even more challenging is the exposure of such network devices to untrusted networks. In these environments, a malicious attacker can craft specific traffic to trigger a state storage’s worst-case behavior on purpose in an attempt to mount a DoS attack.

Synogate develops HashCache, a key-value store for FPGA and ASIC designs, that solves these issues. HashCache scales to hundreds of millions of requests per second, perfectly capable of 100G Ethernet and more on modern FPGAs. A stateful network device that employs HashCache for its state storage also benefits from HashCache’s high write throughput and entry retention guarantees. Attackers attempting to mount a (D)DoS attack against the device with traffic that triggers large amounts of writes and new states, commonly a worst-case scenario for key-value stores, will find that HashCache is more than happy to service the requests while maintaining high throughput.

Synogate HashCache is the ideal key-value store for all network appliances that must handle state, especially if the state needs to be modified or created at high rate. Its high read throughput and low latency also make it an excellent choice in more read-dominated caching use cases such as web-caches, database acceleration, and high frequency trading.

High Throughput

To demonstrate the throughput, we consider the use case of a stateful firewall. HashCache is fielded using QDR2-SRAM and single channel DDR4-SDRAM, both variations implemented on an Arria 10 device. We compare against a single core linux eBPF implementation as well as a multi-core implementation with a supporting SmartNIC running on two memory channels of the same memory type.

The traffic is sourced from the CAIDA real world dataset, mixed with increasing amounts of attack traffic to simulate a DDoS.

The software implementations, even with SmartNIC support, are orders of magnitude too slow to handle 100G or even 40G. HashCache on the other hand can easily handle 100G line rate. Under full attack, even with the slower single channel DDR4-DRAM it can sustain 40G line rate. Since HashCache scales almost linearly with the number of memory channels, 100G line rate is attainable even with DDR4-DRAM by scaling to four channels.

Low Latency

In the same stateful firewall use case, we measure the latency of HashCache for different storage options and traffic patterns. The latency is expressed as the probability of a request being performed within a time frame.

For QDR2-SRAM storage, requests are performed in well under one micro-second. In caching scenarios where attack patterns are not an issue, such as high frequency trading, this latency can drop to below 200 nano-seconds.