Re: IDS load testing

[tqbf () secnet com]

> The traffic for the first snapshop is between 9.7-10.5 Mb.
> The packet counts during peak loading times varies between 15,000
> and 18,000 packets per second.

> That's the kinda firehose i want to validate against.

Hello, Mr. Stolarchuk. I think it's great that the people at NFR are
validating their product's ability to monitor a typical busy FDDI network,
however, I'd like to point something out (you probably already realize
this):

IDS denial of service attacks that involve resource consumption do not
necessarilly involve ping floods or smurf attacks. The fact that your
system can handle normal traffic on a saturated full duplex 100bT segment
does not mean that I can't send a series of packets that will consume all
processing resources on the box.

It is possible that I can drown ID systems without flooding the network
simply by sending a stream of packets that causes the IDS to excercise
it's algorithms in their worst-case behavior; for instance, have you
tested NFR on a 10bT network that is flooded with 8 byte fragments of
MTU-sized packets?

I just wanted to make sure that we all understand that DOS vulnerability
is not necessarilly addressed by figures (tossed about by vendors other
than NFR) like "capable of monitoring 20mb/s of traffic without drops!".

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"