Fantastic DDoS protection: it’s getting worse

Last week I described the “beauty” I’d discovered through the NetworkWorld site: a solution that supposedly rejects DoS frames in 6 nanoseconds. Without having more details, I’ve tried hard to be objective and justify that you cannot get that performance in a best-case scenario (at least without having really expensive hardware and optimized architecture). In the meantime, one of the readers provided the name of the author of this discovery and I was able to find the original publication that was published in the Proceedings of the 2007 spring simulation multiconference by Society for Computer Simulation International.

The paper includes enough details about the hardware and software they’ve used to allow the reader to dismiss the 6ns figure without further thought: they were testing the whole setup on an IBM T42 notebook with Fast Ethernet uplink. That notebook is not fast enough to do anything sensible in the claimed timeframe, so all the discussions we’ve had whether the claimed performance is achievable or not were bogus.

The incredible figure that I’ve seen in the Network World article did not come from an university press release or a sloppy writer (as I’ve suspected) but from the original article, which claims (end of section 5.2.1): “… the averaged rejection time as a function of the number of attacking PCs is defined as the time between an attacker sends out Frame 1 and receives the rejection from the server. Both IPACF and IDF have an averaged reject time 5.90 ns (nanoseconds) by the responder.” Let me just say that you can transmit less than one bit on a Fast Ethernet connection in the “averaged reject time” (emphasis mine).

I’m very far from claiming that the authors (or anyone else) tried to misrepresent their achievement; I’m positive that it was an error in measurement, calculations or interpretation of the results. But it’s incredibly sad that the whole chain – from the authors, through the conference attendees, the publishers, the unknown intermediaries that alerted Network World and finally the Network World staff – was not able to apply a common-sense reality check to the fascinating number and ask themselves a simple question: “is this reasonable?”

Yet again, I’m bound to repeat my mantra: if you don’t understand the principles and rely on recipes, one day you’ll experience a very hard clash with the real world.

1 comment:

  1. Stop wasting time. Ask the author. Until then, don't speculate.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.