Content deleted Content added
Denial of Service - CPU Exhaustion |
Denial of Service - Memory Exhaustion |
||
Line 46:
An IDS that also monitors encrypted traffic can spend a large portion of its CPU resources on decrypting incoming data.<ref name=":02" />
=== Memory Exhaustion ===
In order to match certain signatures, an IDS is required to keep [[State (computer science)|state]] related to the connections it is monitoring. For example, an IDS must maintain "TCP control blocks" (TCBs), chunks of memory which track information such as sequence numbers, window sizes, and connection states (ESTABLISHED, RELATED, CLOSED, etc.), for each TCP connection monitored by the IDS.<ref name=":03">{{Cite journal|last=Ptacek|first=Thomas H.|last2=Newsham|first2=Timothy N.|date=1998-01-01|title=Insertion, evasion, and denial of service: Eluding network intrusion detection|url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.119.399&rank=1}}</ref> Once all of the IDS's [[random-access memory]] (RAM) is consumed, it is forced to utilized [[virtual memory]] on the [[Hard disk drive|hard disk]] which is much slower than RAM, leading to performance problems and dropped packets similar to the effects of CPU exhaustion.<ref name=":03" />
If the IDS doesn't [[Garbage collection (computer science)|garbage collect]] TCBs correctly and efficiently, an attacker can exhaust the IDS's memory by starting a large number of TCP connections very quickly.<ref name=":03" /> Similar attacks can be made by fragmenting a large number of packets into a larger number of smaller packets, or send a large number of out-of-order TCP segments.<ref name=":03" />
== References ==
| |||