Evaluating the Effects of Hardware Configurations on Bro under DDoS Attacks

Abstract

The exponential growth of network traffic and the growing sophistication of network attacks call for faster, efficient and scalable intrusion detection systems (IDS) that will be able to quickly look into the traffic and timeously produce alerts when malicious traffic has been detected. Snort has been the de-facto standard of IDS for so many years but has been ineffective under heavy loads. In both multi-core and single core hardware configuration snort shows no improvement in detection capability of Transmission Control Protocol (TCP) flooding Distributed Denial of Service (DDoS) attack. This has led to the development of alternative IDS which try to address the limitations of Snort. Bro is a flexible script-driven intrusion detection system, which provides a ‘worker’ based architecture to utilize multiple processors. The aim of this paper is to evaluate Bro in terms of performance and packet handling against TCP flooding DDoS attacks under different hardware configurations. To achieve this aim, Bro was installed on different hardware configurations. Tests were conducted to assess its performance under each configuration. Packet loss, Throughput and resource utilization metrics were measured. The results show that utilizing better hardware increases resources availability hence gives the system better performance.