Odd behaviour of Argus server.
r.fulton at auckland.ac.nz
Mon May 15 21:11:49 EDT 2000
On Fri, 12 May 2000 07:58:57 -0700 Carter Bullard
<cbullard at nortelnetworks.com> wrote:
> Hey Russell,
> Hmmmm, so we have 2 argi that differ basically because
> one is using '-d'. One generates a huge amount of data
> that references a subset of network events, for an extended
> period of time, to the exclusion of reporting other network
> events, and then recovers. The other doesn't express any
> of this behavior?
That's a good summary.
> All of this seems very strange/interesting. Not an
> infinite loop, but rather some kind of event that
> messes with the internal hashing and flow tracking
> queues. That would be weird. What did Argi #2 think was
> going on during this period? Pretty standard stuff? Any
> of the same stuff?
Yep the 'normal' argi saw the usual traffic, I did not examine it in
excruiating detail but the few samples I looked at looked normal enough.
The argi with indigestion recorded no new traffic. All traffic
recorded during the four hours had timestamps reflecting the initial
BTW I have an opinion from Gary Flynn of JMU that what we saw as a DDOS
from trinoo or some such tool.
Dam and blast! I have just realised that the good files on my backup
argi have been purged by an automated job -- I did not think to save
them on Friday duh!. I did not realise they were getting deleted so
[Our traffic has increased a lot lately and that combined with the
setting argus into detail mode means that the files are only kept for
four days now. Duh! Sigh... ]
> You did mention that there was other traffic that was
> being reported by Argi #1, during the problem period.
> Did Argi #2 also report these same flows?
No I mis-reported that, see above. The argi with problems only
reported traffic with a timestamp of the initial scan, even if it was
several hours later.
> Did it appear that Argi#1 just lost one-half of all
> the flows?
> This is a difficult problem, because we don't
> really know what was being presented to Argi #1 to know
> if argus() had a problem or if it was something else.
> Is it possible that the 'attack' could have caused a
I'm guessing that is what happened. There was a flood of udp packets
targetting a single address and no response from the machine except for
Has anyone else had argus log a DDOS udp based attack?
> One thing I would like to know is, "are the last times
> reported for the problem flows also the same?" Use
> 'ra -l' to get the last times, instead of the start times.
> This may reveal something interesting.
I have dumped the records from the sick argi for traffic to/from the
attacked address for the four hours in question and I am having trouble
matching flows to see if the last time stamps have changed. I am now
starting to think that each record was only reported once. I have
selected records in one file and tried to find them in the other
files and so far have always failed. We could have verified this if I
had saved the files from the good argi.
The times given with the -l option are identical to those given without
it. (Nearly all flows are single packet flows).
The records in the later files have timestamps that are in random order
whereas the initial file the timestamps are in strict chronological
order as one would expect.
Cheers, Russell (who is feeling a mite foolish).
More information about the argus