Para-Snort : A Multi-thread Snort on Multi-Core IA Platform
description
Transcript of Para-Snort : A Multi-thread Snort on Multi-Core IA Platform
Para-Snort : A Multi-thread Snort on Multi-Core IA Platform
Tsinghua University
PDCS 2009
November 3, 2009
Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue and Jun Li
2
Outline
Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions
*NIDS: Network Intrusion Detection System *IA: Intel Architecture (also known as x86, or x64 for IA-64)
3
NIDS on IA platform
NIDS looks into both header and payload of packets to identify intrusion
IA is not so fast as ASICs or FPGA, but it’s cheap easy to develop with flexible on structure and ruleset
Many NIDS on IA is not designed for multi-core processors.
*NIDS: Network Intrusion Detection System *IA: Intel Architecture (also known as x86, or x64 for IA-64)
4
Our purpose
To design NIDS that can utilize multi-core IA platforms. With modular design Shouldn’t introduce new bottlenecks
Our work is based on Snort. by Sourcefire Inc. The most popular open source NIDS on IA platform. It identifies intrusion by matching the coming packets with
the signatures (ruleset) Single-thread
5
Outline
Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions
6
The architecture of Snort
Data acquisition
Decoder
Preprocess
Detect
Output
Load Balance Module
Output Module
Data Source Module
Packet Queue
Processing ModuleShared Data
Packet Queue
Processing Module
Core 1
Core 2 Core 8
... ...
The architecture of Para-Snort
7
Based on SnortSP 3.0, a new different branch
Features: Modular design Multifunction
processing modules Memory sharing Optimization on core
algorithms
Load Balance Module
Output Module
Data Source Module
Packet Queue
Processing ModuleShared Data
Packet Queue
Processing Module
Core 1
Core 2 Core 8
... ...
The architecture of Para-Snort
8
Detailed module design
Processing Module each is a single thread preprocessors and detection engine easy to develop functions other than intrusion detection, such as
antivirus or URL filtering We designed a ClamAV processing module to do antivirus
Load Balance Module
Output Module
Data Source Module
Packet Queue
Processing ModuleShared Data
Packet Queue
Processing Module
Core 1
Core 2 Core 8
... ...
Data Source Module data acquisition and decoder
Load Balance Module dispatches traffic and makes multi-staged processing
Output Module Generate alert
9
Outline
Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions
10
Performance Evaluation
NIDS platform
Testing machine
TCPreplay
eth0
Para-Snort
Testing ServerTesting Server
TestingClientTestingClient
Testing Server
NIDS platform
TestingClient
Para-Snort
eth0 eth1Forwarding
For tcpdump traces For real traffic
two quad-core Xeon E5335 at 2.00GHz4 GB DRAMUbuntu 8.04Linux kernel version 2.6.27
11
Performance Scaling with increase in Threads
1 2 3 4 5 6 70
100
200
300
400
500
600
700
800
900
Processing Engine Threads
Pro
ce
ss
ing
Sp
ee
d (
Mb
ps
)
LL1
LL2CERNET
http
12
Speedup of 2~7 threads
1 2 3 4 5 6 71
2
3
4
5
6
7
Processing Engine Threads
Sp
ee
du
p
LL1
LL2CERNET
http
13
Outline
Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions
14
Optimize Load Balancing
SnortSP 3.0 provides IP hash algorithm Not balanced when there are few flows Three improve methods:
Dst IP
Src port
Src IP
Dst port
protocol
Hash Processing Module
ID
5-tuple hash Join the Shortest Queue
Modified-JSQ Reassign a
flow when it has silenced for a long time
1
23 4
Packet
15
Modified-JSQ
Reassign a flow when it has silenced for a long time.
We use number of packets instead of time to identify if a flow has silenced for a long time.
Flow A Flow AOther flows
Threshold = n packets
16
Performance of different load balancers
17
Outline
Introduction of NIDS* on IA* Architecture of Para-Snort Performance Evaluation Optimize Load Balancing Conclusions
18
Conclusions
Multi-thread design fully utilizes multi-core CPU
Modular design, multifunction process modules, easy to add modules.
Solve the issues in load balancing and other algorithms
Good speedup, up to 7. Performance up to 800Mbps
19
Questions
Thank You