Nicholas Weaver and Robin Sommer
In previous work we have build a NIDS cluster as a scalable solution for realizing high-performance, stateful network intrusion detection on commodity hardware. Prototypes of our cluster, consisting of up to 10 PCs, are already operating at two major network sites.
In this work we are now gaging the scalability of our approach on the DETER testbed to identify potential performance bottlenecks when using larger number of nodes. Due to privacy concerns we can only use synthetic traffic for our evaluation and therefore start by building a new load-balancer element which can replicate small packet traces by several orders of magnitude. We then use this element to generate a network-load suitable for stress-testing the NIDS cluster from traffic captured on a single workstation.
While this approach cannot take into account many characteristics of site-specific live traffic, it still allows us to perform a first assessment of the cluster's underlying scalability hypothesis.