Re: Generating Traffic to Stress Test IDS

From: Dragos Ruiu (dr@kyx.net)
Date: 01/25/02 

Date: Fri, 25 Jan 2002 08:09:32 +0000
From: Dragos Ruiu <dr@kyx.net>
To: <kenpohniman@yahoo.com>

This 40Mbps number is a potentially dangerous bit of misinformation most
nids vendors exceeded these drop thresholds a ways back.

The drop rate is dependent on a great many things, including the specific
ids software, the cpu speed, memory, nic type, bus type, os, capture
subsystem, rule loading and settings on the ids, etc...

I think you'll find IDSes esily today to go to 600Mbps+ speeds in some
typical scenarios.

Packet drop rate, at it's simplest is defined as the ratio of the number
of packets you should have seen/alerted/munged/whatever to the number
of packets you did get. Measuring this ratio under realistic conditions
is left as an excersize for the reader. (Hint: use a controllable,
accurate traffic source, and examine logs/statistics/whatever on the
receive side carefuly. Don't forget the background load. :-)

cheers,
--dr 

--
Requisite Commercial Content and Disclaimers:  http://cansecwest.com
CanSecWest Network Security Training Conference - Vancouver B.C. - May 1-3 2002
OpenSnort IDS Sensors: http://www.sourcefire.com

On Fri, 25 Jan 2002 07:53:20 +0800
"Ken Pohniman" <kenpohniman@yahoo.com> wrote:

> From what I understand, a NIDS can typically handle up to 40Mbps of traffic
> at any one time before starting to drop packets aggresively. An IDS
> Balancer, like that from TopLayer Networks, will be required, especially if
> you're talking about a GE network.
> 
> Btw, regardless of what tool you use, does anyone knows how to check what is
> the packet drop rate on the IDS?
> 
> Thanks!
> 
> -----Original Message-----
> From: Chad Gough [mailto:chad131@yahoo.com]
> Sent: Thursday, January 24, 2002 11:27 PM
> To: focus-ids@lists.securityfocus.com
> Subject: Generating Traffic to Stress Test IDS
> 
> 
> Does anyone know of any good tools that can generate alot of network
> traffic to see at what point an IDS starts dropping packets?
> 
> Thanks,
> Chad
> 
> __________________________________________________
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions!
> http://auctions.yahoo.com
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
>

Relevant Pages

  • RE: Generating Traffic to Stress Test IDS
    ... Vendor "A" may state one thing, ... >at any one time before starting to drop packets aggresively. ... >the packet drop rate on the IDS? ... >Great stuff seeking new owners in Yahoo! ...
    (Focus-IDS)
  • Re: Recent anti-NIDS Gartner article
    ... packets and throughput of traffic is not suffered by IDS. ... Some reasons why I feel Inline IDSes don't require expensive ... if the packets come out of order (people ... then tap IDS does not even know and packets ...
    (Focus-IDS)
  • Re: pings
    ... In 1 day I have seen 288 different instances of blocked packets in my ... firewall on that same day I have seen 46 items in my IDS. ... I have a DHCP network on a local ISP and I do not have a domain ...
    (Security-Basics)
  • Re: Test scripts for NIDS
    ... If you're using tcpreplay for performance testing, ... >> packets and they are being dropped? ... > the IDS catches everything. ... > increasing speeds until the IDS output changes (usually by failing to detect ...
    (Pen-Test)
  • RE: session logging IDS
    ... you to go back up to the beginning of the buffer to get some previous history. ... Subject: session logging IDS ... saying you can go back and review packets previous from when the sniffer was ...
    (Focus-IDS)