Experimental evaluation of Snort against DDoS attacks under different hardware configurations

Network intrusion detection systems are considered as one of the basic entities widely utilized and studied in the field of network security that aim to detect any hostile intrusion within a given network. Among many network intrusion detection systems (NIDS), open source systems have gained substantial preference due to their flexibility, support and cost effectiveness. Snort, an open source system is considered as the de-facto standard for NIDS. In this paper, effort has been made to gauge Snort in terms of performance (packet handling) and detection accuracy against TCP Flooding Distributed Denial of Service attack. The evaluation has been done using a sophisticated test-bench under different hardware configurations. This paper has analyzed the major factors affecting the performance and detection capability of Snort and has recommended techniques to make Snort a better intrusion detection system (IDS). Experimental results have shown significant improvement in Snort packet handling capability by using better hardware. However; Snort detection capability is not improved by improving hardware and is dependent upon its internal architecture (signature database and rate filtration). Furthermore, the findings can be applied to other signature based intrusion detection systems for refining their performance and detection capability.