[Dshield] Mangled traffic and its effects on IDS performance
peteoutside at yahoo.com
Wed Apr 11 14:23:35 GMT 2007
Valdis.Kletnieks at vt.edu wrote: On Tue, 10 Apr 2007 07:02:37 PDT, Pete Cap said:
> However, a coworker has suggested that 30% mangled traffic is normal for any
30% mangled is *NOT* normal. Period. End Of Discussion. Consider that things
like TCP Selective Ack were designed to keep TCP doing better in the face of
hostile networks where 2-3% of packets were dropped. We see packet drop rates
of over 0.1% or so, we start looking for the reason why. I think the last time
we had 30% traffic drop rates was when Nachi was busy trying to burn down
our network, and that most certainly qualified as an "all hands red alert"
Dupes and out-of-order aren't mangled. Runt and truncated packets are.
In any case, you need to track down the offending network gear and fix it.
Ah. I was unaware that "mangled" had a specific meaning--I will be sure to use it properly in the future.
I know dupes and out-of-order packets are to be expected, but according to ethereal about 30% of traffic at one site and, as of last night, ~60% of traffic at another site involves dupes, retransmissions, and lost segments. So, I believe that the IDS is having difficulty reassembling TCP streams--it is trying to maintain state on every connection and it thinks it's seeing disparate communications. So the queue fills up and it starts dropping packets.
I know that when it starts dropping packets, the IDS is attempting to monitor ~60-70k connections. Does anyone know of a solution that can handle more than this? At some point management is going to start asking if we should just go with another vendor.
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
More information about the list