AgTalk Home
AgTalk Home
Search Forums | Classifieds | Skins | Language
You are logged in as a guest. ( logon | register )

Why?
View previous thread :: View next thread
   Forums List -> Computer TalkMessage format
 
WYDave
Posted 4/7/2014 01:09 (#3801793 - in reply to #3800577)
Subject: RE: Why?


Wyoming

Having worked on the routers that form the core of the Internet, I can give you something better than an excuse, namely a reason.

Inspecting all the traffic that goes through a router before the content is forwarded would slow the ability to route/switch traffic down to a crawl. 

As routers and switches are currently designed/implemented, we examine only the first, oh, 14 to 50+ bytes of a packet before deciding how to route/switch the packet out another interface.

If you wanted an ISP to inspect all your traffic for attacks and malware, here's what would have to happen:

- you'd have to develop a "signature library" of the minimal number of bytes and positions inside a packet for these bytes
- then you'd have to develop special, custom hardware to enable you to inspect the deep guts of a chunk of memory at gigabytes/second speeds
- and then you'd need to develop a memory bus and interface into the special inspection hardware that has a bandwidth in the gigabytes/second.

Then the router/switch would need gigabytes of fast memory, because one of the ways to attack someone's computer is with a "teardrop attack," where the attack/malware is sent to your computer a byte at a time in a TCP session. We'd have to re-assemble a large amount of packets that are one+ bytes each into a complete buffer, then run the signature library across the re-assembled traffic in order to detect the actual malware. You'll have to do this to detect attacks that are larger than one typical TCP packet anyway, so it's not like this is a special requirement just for teardrop attacks.

OK, so how much would you pay for this, in terms of your traffic speed degradation? Would you go back to maximum interface speeds of, oh, 56Kbits/sec? 128 Kbits? And since the hardware to do this stateful inspection at bus speeds inside the router will cost anywhere from $25K to $250K per router, how much more per month would you like to pay for your 'net service?

I've worked on this exact problem, but in a product that is called an "intrusion detection service" - ie, it detects the malware/attacks as they're going through the router, but doesn't stop them. It alerts the network admins that there's malware/attacks on the line, but it wasn't put into the actual switching path of the traffic. Putting this type of logic into the switching path will utterly cripple switching performance, and the real reason is the lack of memory bandwidth between the main memory controller, the main CPU, the switching logic and the detection logic. If we had memory bandwidth 10X what is available today, OK then, we might be able to take on the problem because it is well suited to parallel processing, so the speed of any individual CPU or custom chip isn't the issue here. It all comes down to how fast we can access memory by multiple devices on the bus. 



Edited by WYDave 4/7/2014 01:11
Top of the page Bottom of the page

  • Why? - Alexander I Waverly : 4/6/2014 14:50

Jump to forum :
Search this forum
Printer friendly version
E-mail a link to this thread

(Delete cookies)