This morning I’ve discovered yet another journalistic gem. It started innocently enough: someone has announced prototype security software that blocks DDoS attacks. The fundamental idea (as explained in the article) sounds mushy: they’ve started with one-time user ID and introduced extra fields in the data packets. How can that ever scale in public deployment (which is where you’d be most concerned about a DDoS attack)?
But the true “revelation” came at the beginning of page 2: this software can filter bogus packets in 6 nanoseconds on a Pentium-class processor. Now let’s try to put this in perspective. A Pentium CPU operating @ 5 GHz can execute 30 instructions in 6 ns … or maybe not, it’s a CISC, not RISC design … or it might, due to parallel instruction execution. Never mind, in most cases you need more than that just to process the interrupt.
If you want to get more meaningless numbers, use this MIPS table. The highest-rated Pentium delivers just over 9 MIPS or less than 60 “average-sized” instructions in 6 ns.
But there’s more: if you want to process an incoming packet, you have to fetch it from the DRAM first. The best DDR2 DRAM on the market has more than 10 ns CAS latency (the time between CPU indicating what it needs and DRAM delivering the data). The article thus claims that this wonder software can reject packets faster than it can fetch them from the I/O buffer.