Odd behaviour of Argus server.

[Russell Fulton]

On Fri, 12 May 2000 07:58:57 -0700 Carter Bullard 
<cbullard at nortelnetworks.com> wrote:

> Hey Russell,
>    Hmmmm, so we have 2 argi that differ basically because
> one is using '-d'.  One generates a huge amount of data
> that references a subset of network events, for an extended
> period of time, to the exclusion of reporting other network
> events, and then recovers.  The other doesn't express any
> of this behavior?

That's a good summary.

> 
>    All of this seems very strange/interesting.  Not an
> infinite loop, but rather some kind of event that
> messes with the internal hashing and flow tracking
> queues.  That would be weird.  What did Argi #2 think was
> going on during this period?  Pretty standard stuff?  Any
> of the same stuff?

Yep the 'normal' argi saw the usual traffic, I did not examine it in 
excruiating detail but the few samples I looked at looked normal enough.

The argi with indigestion recorded no new traffic.  All traffic 
recorded during the four hours had timestamps reflecting the initial 
scan/dos.

BTW I have an opinion from Gary Flynn of JMU that what we saw as a DDOS 
from trinoo or some such tool.

Dam and blast!  I have just realised that the good files on my backup 
argi have been purged by an automated job -- I did not think to save 
them on Friday  duh!.  I did not realise they were getting deleted so 
fast :-(

[Our traffic has increased a lot lately and that combined with the 
setting argus into detail mode means that the files are only kept for 
four days now. Duh! Sigh...   ]

> 
>    You did mention that there was other traffic that was
> being reported by Argi #1, during the problem period.
> Did Argi #2 also report these same flows?

No I mis-reported that, see above.  The argi with problems only 
reported traffic with a timestamp of the initial scan, even if it was 
several hours later.

> 
> Did it appear that Argi#1 just lost one-half of all
> the flows?

No.

> 
>    This is a difficult problem, because we don't
> really know what was being presented to Argi #1 to know
> if argus() had a problem or if it was something else.
> Is it possible that the 'attack' could have caused a
> problem?

I'm guessing that is what happened.  There was a flood of udp packets 
targetting a single address and no response from the machine except for 
URPs.

Has anyone else had argus log a DDOS udp based attack?

> 
>    One thing I would like to know is, "are the last times
> reported for the problem flows also the same?"  Use
> 'ra -l' to get the last times, instead of the start times.
> This may reveal something interesting.

I have dumped the records from the sick argi for traffic to/from the 
attacked address for the four hours in question and I am having trouble 
matching flows to see if the last time stamps have changed.  I am now 
starting to think that each record was only reported once.  I have 
selected records in one file and tried to find them in the other 
files and so far have always failed. We could have verified this if I 
had saved the files from the good argi.

The times given with the -l option are identical to those given without 
it.  (Nearly all flows are single packet flows).

The records in the later files have timestamps that are in random order 
whereas the initial file the timestamps are in strict chronological 
order as one would expect.

Cheers, Russell (who is feeling a mite foolish).