[Dshield] Mangled traffic and its effects on IDS performance

Pete Cap peteoutside at yahoo.com
Tue Apr 10 14:02:37 GMT 2007


I'm currently attempting to troubleshoot an IDS issue involving dropped packets.  The sensor is currently dropping around 60% of the traffic it's observing.  The CPU and memory are getting pegged and it's trying to monitor about 60-70k TCP "conversations" at a time.

I have already discovered that the CPU load and so forth do not correlate with actual network throughput at any given time--I have gig interfaces getting 200k/s and they're dropping packets just as bad as the interfaces that are getting maxed out.  Both throughput and packet drop rates do correlate with the number of users logged in at any given time, however.

Packet analysis with wireshark shows that about 1/3 of the packets, at any given time, are dupes, transmitted out-of-order, are truncated, etc.  Basically, it's pretty mangled.  If you look at transmission times, about half the traffic is fine, and about 1/3 is very, very slow.  So, in statistical terms, it's like there are two distributions.

I took this to management and suggested that there may be one or more layer 2 devices misbehaving, and proposed to go device by device with a sniffer to try to find the source and cause of the mangled traffic.  However, a coworker has suggested that 30% mangled traffic is normal for any enterprise and should not choke the IDS--so the solution is simply to add more appliances and attempt some kind of load-balancing.

In my personal experience, environments with this much mangled traffic are a problem for a wide range of IDS solutions (including deployments of snort and four of the major vendors).  But I need to back this up with hard data.  So, can anyone either point me to some studies on the subject, or at least give anecdotes about the effects of messed up traffic on IDS performance?  I have done a 30,000 ft literature review and I see that, for example, Neohapsis used to do performance testing to certify various solutions, but this effort seems to have stopped in 2004.

Alternately, if someone can give me guidance on recreating this in a lab environment, then that would be good as well--I can test our current solution, another vendor's, and the old standby snort.  Any ideas?

Thanks in advance,

Expecting? Get great news right away with email Auto-Check.
Try the Yahoo! Mail Beta.

More information about the list mailing list