Argus 2.0.1-beta1, crash under DoS, observations.

Carter Bullard carter at qosient.com
Mon Apr 9 16:43:59 EDT 2001 

Hey Chris,
Just a point.  Did argus crash, which generally implies
fault, dump, or did it exit unexpectedly?  Big difference.

Ok, so we've still some a problem with how we are printing
to syslog(), which will cause us grief, so let me change that.
(we shouldn't be getting lots of "queue exceeded message"s
they should only come out every 30 seconds when the condition
exists).

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of 
> Chris Newton
> Sent: Monday, April 09, 2001 4:09 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Argus 2.0.1-beta1, crash under DoS, observations.
> 
> 
> Hi folks.  Had one of my signature DoS attacks today, and, 
> running the 2.0.1 
> beta 1 code, I got an opps.  Argus spit out lots of:
> 
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded 
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded 
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded 
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded 
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded 
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded 
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded 
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded 
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 12319
> 
>   It died at one point, but I have a script to immediatly 
> restart it...
> 
> Also got a (among other messages like above) in /var/log/messages:
> 
> Apr  9 16:41:20 epic argus[1809]: ArgusWriteOutSocket Failed 
> to Multiplexor. 
> Shutting Down
> 
>   The one thing I noticed was that, even on my PIII 667 
> single CPU box, during 
> this attack, argus only seemed to use about 12-15% of the 
> CPU.  Never did I 
> see it really do any heavy work (I don't believe, unless I 
> missed it).  It 
> did, however, use lots of memory (used 85% of the boxes's 
> physical memory).
> 
> Chris
> 
> _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
> 
> Chris Newton, Systems Analyst
> Computing Services, University of New Brunswick
> newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010409/4d6a0ebc/attachment.html>

More information about the argus mailing list