Yeah, custom hardware (ASIC/FPGA depending). Liveness is trying to detect things like Slowloris [0], with things like timeouts, SYN cookies (which ask the client to do some minor work), etc.
It was silicon (or, at least, optimized general compute) in the mid-2000s, but who knows anymore? It could all be user land TCP/IP on Linux today. High speed network processing got weird.
It's a mix depending on what market segment you're looking at. I watch it from afar. There's still a lot of silicon use, esp for accelerating TCP/IP or decryption. I also found one recently you all might enjoy with slides on using a GPU:
A10 actually lists the number of FPGAs in their mitigation appliances for sizing purposes.
"Select Thunder TPS models have high-performance FPGA-based Flexible Traffic Acceleration (FTA) technology to detect and mitigate up to 60 common attack vectors immediately in hardware — before data CPUs are involved. "
Shifted from hardware intensive (ASICs, FPGAs) to software so we can do high-speed packet mangling on commodity hardware. Initially pretty involved with DPDK etc but much easier as of late with XDP+eBPF.
Not the GP, but I worked in the DDoS space for a spell a few years ago, helping develop the company's 3rd generation product. Their 1st generation was ASIC-based; 2nd generation a manycore CPU (Tilera) running a custom OS mostly written in assembly; 3rd generation used the next generation of that CPU (Tile GX) which provided lots of dedicated highly-parallel network processing hardware (including a programmable coprocessor), some of which was designed following feedback from our CTO.
The Tile GX (including the hardware) was available for general-purpose use from Linux (which we ran), but could also be programmed directly to do lots of packet classification even before the packets got to the CPU and main memory (which we did). The Cavium network processor worked similarly.
[0] - https://en.wikipedia.org/wiki/Slowloris_(computer_security)