Network intrusion detection systems (IDS) are crucial for secure cloud computing,
but they are also severely constrained by CPU computation capacity as the network
bandwidth increases. Therefore, hardware offloading is essential for the IDS servers
to support the ever-growing throughput demand for packet processing. Based on the
experience of large-scale IDS deployment, we find the existing hardware offloading
solutions have fundamental limitations that prevent them from being massively deployed
in the production environment. In this paper, we present Fidas, an FPGA-based intrusion
detection offload system that avoids the limitations of the existing hardware solutions
by comprehensively offloading the primary NIC, rule pattern matching, and traffic
flow rate classification. The pattern matching module in Fidas uses a multi-level
filter-based approach for efficient regex processing, and the flow rate classification
module employs a novel dual-stack memory scheme to identify the hot flows under volumetric
attacks. Our evaluation shows that Fidas achieves the state-of-the-art throughput
in pattern matching and flow rate classification while freeing up processors for other
security-related functionalities. Fidas is deployed in the production data center
and has been battle-tested for its performance, cost-effectiveness, and DevOps agility.