robert_david_grahamyahoo.com

• Next message: John S Flowers: "Re: IDS: kernel implementations"
• Previous message: mhtclark.net: "Re: IDS: kernel implementations"
• Maybe in reply to: drellisus.ibm.com: "IDS: kernel implementations"
• Next in thread: Marcus J. Ranum: "IDS: DEFCON packet collection?"
• Next in thread: Robert Graham: "Re: IDS: kernel implementations"
• Next in thread: John S Flowers: "Re: IDS: kernel implementations"
• Maybe reply: Robert Graham: "Re: IDS: kernel implementations"
• Reply: Marcus J. Ranum: "IDS: DEFCON packet collection?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
--- John S Flowers <jflowershiverworld.com> wrote:
> Lastly, I'd like to encourage other people on this list to toss out some
> of the numbers that they are seeing (in real world environments) using
> either 100 Mbit or multiple 100 Mbit systems behind a load balancer.
> We're having a lot of trouble getting real data out of the vendors. ;)

Real-world is indeed where most people fail.

I just got back from an ISP who was only monitoring a fully saturated T3 line.
Remember that a T3 is full-duplex 45-mbps, but you get a lot less than 90-mbps
when it is "fully-saturated" because the traffic is assymetric.

The stats that I found when running BlackICE Sentry were:
60-mbps
25,000 packets/second
300,000 TCP connections (average)
2-million TCP connections (peak)
roughly 20 intrusions/second sustained
Dual Pentium III 800-MHz 25% CPU utilization dropping no packets

Full disclosure: They tried competitors products, but they all died. However,
we were only going 10,000 packets/second ourselves until I made a small fix to
handle the insanely high TCP connection count. I'm still working on further
optimizations for this problem.

Another real-world statistic is flooding my machine with a DoS attack, where
every packet triggers the "signature". My Linux box will pump out roughly
85,000 Jolt2 packets/second. On my personal computer (dual P-II 400-MHz), it
takes roughly 8% of the CPU in order to capture the packets, do signature
analysis on them, and coalesce the insanely high number of events generated.
Notice that these numbers are very different than the ones quoted above: the
nature of the traffic has a huge impact on actual performance.

That statistic applies only to BlackICE Sentry; the numbers are a lot different
with our desktop-NIDS BlackICE Defender. I just ran the attack and measured 70%
CPU utilization. This is because it has to integrate with the TCP/IP stack and
do firewalling; most of the time is actually spent within Microsoft's drivers.
Also, 70% is a lot better than the alternative: without Defender doing its job,
the Windows TCP/IP stack causes the machine to hang.

=====
Robert Graham http://www.robertgraham.com/pubs

__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/

• Next message: John S Flowers: "Re: IDS: kernel implementations"
• Previous message: mhtclark.net: "Re: IDS: kernel implementations"
• Maybe in reply to: drellisus.ibm.com: "IDS: kernel implementations"
• Next in thread: Marcus J. Ranum: "IDS: DEFCON packet collection?"
• Next in thread: Robert Graham: "Re: IDS: kernel implementations"
• Next in thread: John S Flowers: "Re: IDS: kernel implementations"
• Maybe reply: Robert Graham: "Re: IDS: kernel implementations"
• Reply: Marcus J. Ranum: "IDS: DEFCON packet collection?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]