From c4d13b8478ea22cc055866c4ece5fed031116b4d Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Thu, 2 Oct 2025 13:59:11 +0200 Subject: [PATCH] waf benchmark: add stress test results --- crowdsec-docs/docs/appsec/benchmark.md | 110 +++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/crowdsec-docs/docs/appsec/benchmark.md b/crowdsec-docs/docs/appsec/benchmark.md index c4e771f8c..fd01c944e 100644 --- a/crowdsec-docs/docs/appsec/benchmark.md +++ b/crowdsec-docs/docs/appsec/benchmark.md @@ -15,6 +15,8 @@ sidebar_position: 80 --> +# Basic Benchmark + The Application Security Component benchmarks have been run on a AWS EC2 Instance `t2.medium` (2vCPU/4GiB RAM). All the benchmarks have been run with only one `routine` configured for the Application Security Component. @@ -63,3 +65,111 @@ On the system, we deployed: ![15 concurrent connections / 1000 requests](/img/appsec/bench/big_post_appsec_one_routine_15_1000.png) --> + +# Stress Test + +This test was run on a `c5a.4xlarge` EC2 instance (16CPU/32GiB RAM). + +Tested versions are: + +- Openresty `v1.27.1.2` +- CrowdSec `v1.7.0` +- cs-openresty-bouncer `v1.1.2` + +Openresty was configured to not log anything and forward requests to a Go backend that always return 200, in order to improve raw throughput and not be limited by disk access. + +Crowdsec WAF was configured with 16 routines to make use of as much CPU as possible. + +All tests were simulating 400 concurrent users, making requests as quickly as possible during 1 minute. + +Except for the baseline, all values in the tables are shown as a delta from the baseline performance. + +## Baseline + +This test was run without loading the Openresty bouncer to get a baseline throughput of the system. + +### GET Requests + +| Metric | Value | +| --------------------- | -------- | +| Average Response Time | 23.55ms | +| Minimum Response Time | 21.24ms | +| Median Response Time | 23.18ms | +| Maximum Response Time | 255.16ms | +| P90 Response Time | 24.72ms | + +### 10% POST Requests + +| Metric | Value | +| --------------------- | -------- | +| Average Response Time | 25.08ms | +| Minimum Response Time | 21.29ms | +| Median Response Time | 23.95ms | +| Maximum Response Time | 331.08ms | +| P90 Response Time | 30.95ms | + +## Virtual Patching Rules + +### GET Requests - 10% malicious - InBand + +| Metric | Delta | +| --------------------- | -------- | +| Average Response Time | +4.94ms | +| Minimum Response Time | +0.93ms | +| Median Response Time | +3.48ms | +| Maximum Response Time | +6.83ms | +| P90 Response Time | +10.13ms | + +### Realistic Traffic - 70% GET - 25% POST - 5% malicious - Inband + +| Metric | Delta | +| --------------------- | ------- | +| Average Response Time | +4.03ms | +| Minimum Response Time | +0.71ms | +| Median Response Time | +2.36ms | +| Maximum Response Time | +6.79ms | +| P90 Response Time | +8.07ms | + +## CRS + +### GET Requests - 10% malicious - InBand + +| Metric | Delta | +| --------------------- | -------- | +| Average Response Time | +32.85ms | +| Minimum Response Time | +2.21ms | +| Median Response Time | +27.47ms | +| Maximum Response Time | -64.45ms | +| P90 Response Time | +58.19ms | + +### POST Requests - 10% malicious - InBand + +| Metric | Delta | +| --------------------- | --------- | +| Average Response Time | +58.49ms | +| Minimum Response Time | +3.18ms | +| Median Response Time | +54.1ms | +| Maximum Response Time | -106.76ms | +| P90 Response Time | +83.01ms | + +### Realistic Traffic - 70% GET - 25% POST - 5% malicious - Inband + +| Metric | Delta | +| --------------------- | -------- | +| Average Response Time | +32.54ms | +| Minimum Response Time | +1.87ms | +| Median Response Time | +28.36ms | +| Maximum Response Time | -68.34ms | +| P90 Response Time | +53.83ms | + +## Virtual Patching Inband + CRS Out-of-band + +### Realistic Traffic - 70% GET - 25% POST - 5% malicious + +| Metric | Delta | +| --------------------- | --------- | +| Average Response Time | +30.5ms | +| Minimum Response Time | +1.56ms | +| Median Response Time | +26.26ms | +| Maximum Response Time | -101.66ms | +| P90 Response Time | +51.18ms |