Back to Blog
Security

Red Piranha Achieves 60Gbps Suricata IDS Throughput

22 August 2019 4 min read Security
Red Piranha Achieves 60Gbps Suricata IDS Throughput
Security

Overview

Red Piranha's Crystal Eye UTM appliances are multi-core systems that let multi-threaded applications leverage the underlying hardware for high performance. Multi-threading scales the system by adding threads to run the different applications that inspect incoming traffic before it is transmitted to the protected network.

Suricata is a high-performance, multi-threaded IDS, IPS, and network monitoring engine that can handle gigabits of traffic without losses. In laboratory testing, Red Piranha successfully achieved 60Gbps of Suricata throughput on a single commodity-hardware 2U unit.

Test Configuration

Red Piranha Achieves 60Gbps Suricata IDS Throughput

The tests ran on a Series 80 dual-socket system with dual Intel Xeon E5-2697v4 CPUs (Hyper-Threading enabled, 72 cores total), 128GB of RAM, and Ubuntu 18.04.2 LTS. Two dual-port Intel XL-710 40GbE cards received the traffic. A TRex traffic generator on similar hardware replayed traffic, generating 6.2 Mpps to achieve 60Gbps, which was handled without loss by a single Suricata instance in IDS mode using a 14,312-signature Emerging Threats ruleset.

Traffic Details

TRex generated stateful traffic that simulated enterprise networks: HTTPS/HTTP browsing (76%), real-time applications such as VoIP and video captures (12%), and other enterprise traffic replays (12%). The traffic consisted of mostly small, realistic flows rather than large "elephant" flows.

Key Configurations

  • Maintain NUMA locality to CPU cores
  • Maximize L3 cache hits for handling high traffic rates
  • Enable receive-side hashing to distribute traffic evenly across Suricata worker threads
  • Pin CPU cores to Suricata worker threads and isolate them from other processes
  • Run housekeeping tasks on the remaining cores

Performance Improvements

The tuned system achieved 60Gbps throughput. The untuned system, which lacked NIC tuning and used default Suricata configs with only memcap modifications, dropped packets at wire speed. The difference underscores how much careful NUMA, cache, and thread-pinning work contributes to line-rate inspection.

Future Work

Similar tuning will be performed with Crystal Eye firmware across different appliances to optimize performance for varying traffic rates.

Indivar Software Solutions

SAP Business One consulting and custom software development since 2009. Offices in India, New Zealand, and the USA.

Back to Blog Discuss Your Project
Related Articles

More on Security

Need Help with SAP Business One?

Whether you need implementation support, custom add-ons, or strategic ERP advice, our team is ready to help. over 17 years of SAP B1 experience across India, New Zealand, and the USA.

Contact Us View Our Products