[Dshield] Mangled traffic and its effects on IDS performance

Pete Cap peteoutside at yahoo.com
Wed Apr 11 14:23:35 GMT 2007



Valdis.Kletnieks at vt.edu wrote: On Tue, 10 Apr 2007 07:02:37 PDT, Pete Cap said:
>  However, a coworker has suggested that 30% mangled traffic is normal for any
> enterprise

30% mangled is *NOT* normal. Period. End Of Discussion.  Consider that things
like TCP Selective Ack were designed to keep TCP doing better in the face of
hostile networks where 2-3% of packets were dropped.  We see packet drop rates
of over 0.1% or so, we start looking for the reason why.  I think the last time
we had 30% traffic drop rates was when Nachi was busy trying to burn down
our network, and that most certainly qualified as an "all hands red alert"
event.

...

Dupes and out-of-order aren't mangled.  Runt and truncated packets are.

In any case, you need to track down the offending network gear and fix it.
Ah.  I was unaware that "mangled" had a specific meaning--I will be sure to use it properly in the future.

I know dupes and out-of-order packets are to be expected, but according to ethereal about 30% of traffic at one site and, as of last night, ~60% of traffic at another site involves dupes, retransmissions, and lost segments.  So, I believe that the IDS is having difficulty reassembling TCP streams--it is trying to maintain state on every connection and it thinks it's seeing disparate communications.  So the queue fills up and it starts dropping packets.

I know that when it starts dropping packets, the IDS is attempting to monitor ~60-70k connections.  Does anyone know of a solution that can handle more than this?  At some point management is going to start asking if we should just go with another vendor.

Thanks,

Pete

        
---------------------------------
Looking for earth-friendly autos? 
 Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.  


More information about the list mailing list