IPS/IDS behavior with ISIC/UDPSIC/TCPSIC/ICMPSIC traffic

["Ravi Chunduru" <ravi.is.chunduru () gmail com>]

According to NSS testing criteria,  the IPS/IDS devices are expected
to work normally even during the time *SIC traffic is sent at
60000pkts/sec with each packet size of 690 bytes. I find that inline
snort IPS software based PC device stops passing any legitimate
traffic when this *SIC traffic is sent at very high speed.  As such I
also see this problem even if UDPSIC traffic (with random ports) is
passed with 50000 pkts/sec.   Once the traffic is stopped, it starts
working normally. Note that if I use UDPSIC with fixed port, then I
don't see the problem of 100% CPU utilization and other traffic passes
normally.

I am using PC with P4 processor running at 2.8Ghz.


Is there any significance to 60000 pkts/sec NSS number? Also, what is
the expected behavior of IPS software during this load?
Does NSS test with random UDP ports? Or do they use one fixed port
while running UDPSIC and TCPSIC?

Thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------