Today is the 20th anniversary of the Slammer worm. I’m still angry over it, so I thought I’d write up my anger. This post will be of interest to nobody, it’s just me venting my bitterness and get off my lawn!!
Back in the day, I wrote “BlackICE”, an intrusion detection and prevention system that ran as both a desktop version and a network appliance. Most cybersec people from that time remember it as the desktop version, but the bulk of our sales came from the network appliance.
The network appliance competed against other IDSs at the time, such as Snort, an open-source product. For much the cybersec industry, IDS was Snort — they had no knowledge of how intrusion-detection would work other than this product, because it was open-source.
My intrusion-detection technology was radically different. The thing that makes me angry is that I couldn’t explain the differences to the community because they weren’t technical enough.
When Slammer hit, Snort and Snort-like products failed. Mine succeeded extremely well. Yet, I didn’t get the credit for this.
The first difference is that I used a custom poll-mode driver instead of interrupts. This the now the norm in the industry, such as with Linux NAPI drivers. The problem with interrupts is that a computer could handle less than 50,000 interrupts-per-second. If network traffic arrived faster than this, then the computer would hang, spending all it’s time in the interrupt handler doing no other useful work. By turning off interrupts and instead polling for packets, this problem is prevented. The cost is that if the computer isn’t heavily loaded by network traffic, then polling causes wasted CPU and electrical power. Linux NAPI drivers switch between them, interrupts when traffic is light and polling when traffic is heavy.
The consequence is that a typical machine of the time (dual Pentium IIIs) could handle 2-million packets-per-second running my software, far better than the 50,000 packets-per-second of the competitors.
When Slammer hit, it filled a 1-gbps Ethernet with 300,000 packets-per-second. As a consequence, pretty much all other IDS products fell over. Those that survived were attached to slower links — 100-mbps was still common at the time.
An industry luminary even gave a presentation at BlackHat saying that my claimed performance
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: