Argus 2.0.1-beta1, crash under DoS, observations.

Chris Newton newton at unb.ca
Mon Apr 9 20:56:46 EDT 2001 

Hard to say what it did...  my script that keeps it running (startargus), 
prints out a message if it needs to restart it... and, this is what I saw on 
the console where I ran it:

argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket Failed to Multiplexor. Shutting Down
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded Maximum Limit
argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 15985
STARTARGUS:Restarting ARGUS because it was killed or DIED

  Note, no message from Argus about exiting.  There were tons of the Queue 
Exceeded Maximum Limit messages on the screen.  In /var/log/messages, was:




[root at epic log]# grep Argus messages
Apr  9 16:39:43 epic argus[1809]: ArgusWriteOutSocket(0x8144e30) Queue Count 
10101 
Apr  9 16:39:49 epic argus[1809]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 16:41:13 epic argus[1809]: ArgusWriteOutSocket(0x8144e30) Queue Count 
16384 
Apr  9 16:41:13 epic argus[1809]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 16:41:20 epic argus[1809]: ArgusWriteOutSocket Failed to Multiplexor. 
Shutting Down 
Apr  9 16:41:20 epic argus[1809]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 16:47:44 epic argus[1809]: ArgusWriteOutSocket(0x8144e30) Queue Count 
15980 
Apr  9 16:51:18 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 
13228 
Apr  9 16:51:20 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 16:51:44 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 
16384 
Apr  9 16:51:44 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 16:52:29 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 
16384 
Apr  9 16:52:29 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 16:52:49 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 
12319 
Apr  9 20:27:02 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 
10697 
Apr  9 20:27:06 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 20:27:35 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 
16384 
Apr  9 20:27:35 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 20:28:35 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 
16384 
Apr  9 20:28:35 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 20:28:53 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 20:30:10 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 20:30:14 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 
16384 
Apr  9 20:30:14 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 20:30:30 epic argus[16464]: ArgusWriteOutSocket Failed to Multiplexor. 
Shutting Down 
Apr  9 20:30:30 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 20:31:29 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue 
Exceeded Maximum Limit 
Apr  9 20:32:13 epic argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 
15985



  Note, Argus's ppid is now 18170, after having died this last time.


  Wht I did find strange, was it didnt appear to be using much CPU when it was 
having problems.  Could this be right?

Chris


>===== Original Message From <carter at qosient.com> =====
>Hey Chris,
>Just a point.  Did argus crash, which generally implies
>fault, dump, or did it exit unexpectedly?  Big difference.
>
>Ok, so we've still some a problem with how we are printing
>to syslog(), which will cause us grief, so let me change that.
>(we shouldn't be getting lots of "queue exceeded message"s
>they should only come out every 30 seconds when the condition
>exists).
>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York  10022
>
>carter at qosient.com
>Phone +1 212 588-9133
>Fax   +1 212 588-9134
>http://qosient.com
>
>
>> -----Original Message-----
>> From: owner-argus-info at lists.andrew.cmu.edu
>> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of
>> Chris Newton
>> Sent: Monday, April 09, 2001 4:09 PM
>> To: argus-info at lists.andrew.cmu.edu
>> Subject: Argus 2.0.1-beta1, crash under DoS, observations.
>>
>>
>> Hi folks.  Had one of my signature DoS attacks today, and,
>> running the 2.0.1
>> beta 1 code, I got an opps.  Argus spit out lots of:
>>
>> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
>> Maximum Limit
>> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
>> Maximum Limit
>> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
>> Maximum Limit
>> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
>> Maximum Limit
>> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
>> Maximum Limit
>> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
>> Maximum Limit
>> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
>> Maximum Limit
>> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
>> Maximum Limit
>> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 12319
>>
>>   It died at one point, but I have a script to immediatly
>> restart it...
>>
>> Also got a (among other messages like above) in /var/log/messages:
>>
>> Apr  9 16:41:20 epic argus[1809]: ArgusWriteOutSocket Failed
>> to Multiplexor.
>> Shutting Down
>>
>>   The one thing I noticed was that, even on my PIII 667
>> single CPU box, during
>> this attack, argus only seemed to use about 12-15% of the
>> CPU.  Never did I
>> see it really do any heavy work (I don't believe, unless I
>> missed it).  It
>> did, however, use lots of memory (used 85% of the boxes's
>> physical memory).
>>
>> Chris
>>
>> _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>>
>> Chris Newton, Systems Analyst
>> Computing Services, University of New Brunswick
>> newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
>>
>>

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)

More information about the argus mailing list