>At the start of the pipeline we can afford to run lots of memory-cheap filters in parallel. Only a subset of incoming packets make it past these filters, so we need less of the more memory intensive filters running in parallel behind them to achieve the desired line rate.
What would happen if you manufactured lots of packets to trigger the expensive filters?
I was wondering this too. I guess the trick would be how would you (the attacker) know which filters are being used / which are expensive?
If they're only using the Snort standard filters, that would be one thing, but Cloudflare or similar services which might actually use this hardware would probably also have a completely custom rule set. So could you somehow detect experimentally what packets trigger the expensive rules? Perhaps some kind of fuzzing attack could do that.
>What would happen if you manufactured lots of packets to trigger the expensive filters?
then you would effectively DoS/DDoS the IPS. Now depending on how the system as a whole works it could be an efficient way to get through with a different attack that would normally be detected/blocked by IPS.
What would happen if you manufactured lots of packets to trigger the expensive filters?