Firewall Wizards mailing list archives
Re: IDS load testing
From: tqbf () secnet com
Date: Thu, 19 Feb 1998 13:33:03 -0600 (CST)
The traffic for the first snapshop is between 9.7-10.5 Mb. The packet counts during peak loading times varies between 15,000 and 18,000 packets per second.
That's the kinda firehose i want to validate against.
Hello, Mr. Stolarchuk. I think it's great that the people at NFR are validating their product's ability to monitor a typical busy FDDI network, however, I'd like to point something out (you probably already realize this): IDS denial of service attacks that involve resource consumption do not necessarilly involve ping floods or smurf attacks. The fact that your system can handle normal traffic on a saturated full duplex 100bT segment does not mean that I can't send a series of packets that will consume all processing resources on the box. It is possible that I can drown ID systems without flooding the network simply by sending a stream of packets that causes the IDS to excercise it's algorithms in their worst-case behavior; for instance, have you tested NFR on a 10bT network that is flooded with 8 byte fragments of MTU-sized packets? I just wanted to make sure that we all understand that DOS vulnerability is not necessarilly addressed by figures (tossed about by vendors other than NFR) like "capable of monitoring 20mb/s of traffic without drops!". ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Re: IDS load testing tqbf (Feb 19)
- Re: IDS load testing Marcus J. Ranum (Feb 19)