[Dshield] Mangled traffic and its effects on IDS performance

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Apr 10 19:29:05 GMT 2007

On Tue, 10 Apr 2007 07:02:37 PDT, Pete Cap said:
>  However, a coworker has suggested that 30% mangled traffic is normal for any
> enterprise

30% mangled is *NOT* normal. Period. End Of Discussion.  Consider that things
like TCP Selective Ack were designed to keep TCP doing better in the face of
hostile networks where 2-3% of packets were dropped.  We see packet drop rates
of over 0.1% or so, we start looking for the reason why.  I think the last time
we had 30% traffic drop rates was when Nachi was busy trying to burn down
our network, and that most certainly qualified as an "all hands red alert"

Think about what a 30% drop rate means for TCP window sizes - you only have
about a 24% chance of 4 packets in a row getting through, and only a 5% chance
of getting 8 packets through.  This means that your TCP connections will be
*continually* throttling back their windows. Is anybody managing to get TCP
throughput over 30-40K/sec in this environment?

Also, note that "mangled" has a specific meaning to network jockeys - a
packet that has arrived, but with data/flags modified in transit to unacceptable
values - so a change in the TTL at each hop is acceptable (and required), but
a change in the destination port is probably quite evil...

Dupes and out-of-order aren't mangled.  Runt and truncated packets are.

In any case, you need to track down the offending network gear and fix it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070410/1f1ac702/attachment.bin 

More information about the list mailing list