Argus 2.0.1-beta1, crash under DoS, observations.
Carter Bullard
carter at qosient.com
Mon Apr 9 21:47:41 EDT 2001
Hey Chris,
The " Failed to Multiplexor. Shutting Down" message
is the clue that argus is going to gracefully exit.
So, no crash. Just unexpected exit ;)
The cause is, I'm sure, a bug, so applying
logic is not necessarily going to be a good
strategy for solving the problem.
Let me make the changes to the syslog message
strategy, which will definitely help, and I'll try
to put in some more support so that we can figure
out what's going on.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: Chris Newton [mailto:newton at unb.ca]
> Sent: Monday, April 09, 2001 8:57 PM
> To: argus-info at lists.andrew.cmu.edu; Carter Bullard
> Subject: RE: Argus 2.0.1-beta1, crash under DoS, observations.
>
>
> Hard to say what it did... my script that keeps it running
> (startargus),
> prints out a message if it needs to restart it... and, this
> is what I saw on
> the console where I ran it:
>
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket Failed to Multiplexor. Shutting Down
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> Maximum Limit
> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 15985
> STARTARGUS:Restarting ARGUS because it was killed or DIED
>
> Note, no message from Argus about exiting. There were tons
> of the Queue
> Exceeded Maximum Limit messages on the screen. In
> /var/log/messages, was:
>
>
>
>
> [root at epic log]# grep Argus messages
> Apr 9 16:39:43 epic argus[1809]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 10101
> Apr 9 16:39:49 epic argus[1809]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 16:41:13 epic argus[1809]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 16384
> Apr 9 16:41:13 epic argus[1809]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 16:41:20 epic argus[1809]: ArgusWriteOutSocket Failed
> to Multiplexor.
> Shutting Down
> Apr 9 16:41:20 epic argus[1809]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 16:47:44 epic argus[1809]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 15980
> Apr 9 16:51:18 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 13228
> Apr 9 16:51:20 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 16:51:44 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 16384
> Apr 9 16:51:44 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 16:52:29 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 16384
> Apr 9 16:52:29 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 16:52:49 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 12319
> Apr 9 20:27:02 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 10697
> Apr 9 20:27:06 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 20:27:35 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 16384
> Apr 9 20:27:35 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 20:28:35 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 16384
> Apr 9 20:28:35 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 20:28:53 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 20:30:10 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 20:30:14 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 16384
> Apr 9 20:30:14 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 20:30:30 epic argus[16464]: ArgusWriteOutSocket Failed
> to Multiplexor.
> Shutting Down
> Apr 9 20:30:30 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 20:31:29 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue
> Exceeded Maximum Limit
> Apr 9 20:32:13 epic argus[16464]:
> ArgusWriteOutSocket(0x8144e30) Queue Count
> 15985
>
>
>
> Note, Argus's ppid is now 18170, after having died this last time.
>
>
> Wht I did find strange, was it didnt appear to be using
> much CPU when it was
> having problems. Could this be right?
>
> Chris
>
>
> >===== Original Message From <carter at qosient.com> =====
> >Hey Chris,
> >Just a point. Did argus crash, which generally implies
> >fault, dump, or did it exit unexpectedly? Big difference.
> >
> >Ok, so we've still some a problem with how we are printing
> >to syslog(), which will cause us grief, so let me change that.
> >(we shouldn't be getting lots of "queue exceeded message"s
> >they should only come out every 30 seconds when the condition
> >exists).
> >
> >Carter
> >
> >Carter Bullard
> >QoSient, LLC
> >300 E. 56th Street, Suite 18K
> >New York, New York 10022
> >
> >carter at qosient.com
> >Phone +1 212 588-9133
> >Fax +1 212 588-9134
> >http://qosient.com
> >
> >
> >> -----Original Message-----
> >> From: owner-argus-info at lists.andrew.cmu.edu
> >> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of
> >> Chris Newton
> >> Sent: Monday, April 09, 2001 4:09 PM
> >> To: argus-info at lists.andrew.cmu.edu
> >> Subject: Argus 2.0.1-beta1, crash under DoS, observations.
> >>
> >>
> >> Hi folks. Had one of my signature DoS attacks today, and,
> >> running the 2.0.1
> >> beta 1 code, I got an opps. Argus spit out lots of:
> >>
> >> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> >> Maximum Limit
> >> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> >> Maximum Limit
> >> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> >> Maximum Limit
> >> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> >> Maximum Limit
> >> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> >> Maximum Limit
> >> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> >> Maximum Limit
> >> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> >> Maximum Limit
> >> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Exceeded
> >> Maximum Limit
> >> argus[16464]: ArgusWriteOutSocket(0x8144e30) Queue Count 12319
> >>
> >> It died at one point, but I have a script to immediatly
> >> restart it...
> >>
> >> Also got a (among other messages like above) in /var/log/messages:
> >>
> >> Apr 9 16:41:20 epic argus[1809]: ArgusWriteOutSocket Failed
> >> to Multiplexor.
> >> Shutting Down
> >>
> >> The one thing I noticed was that, even on my PIII 667
> >> single CPU box, during
> >> this attack, argus only seemed to use about 12-15% of the
> >> CPU. Never did I
> >> see it really do any heavy work (I don't believe, unless I
> >> missed it). It
> >> did, however, use lots of memory (used 85% of the boxes's
> >> physical memory).
> >>
> >> Chris
> >>
> >> _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
> >>
> >> Chris Newton, Systems Analyst
> >> Computing Services, University of New Brunswick
> >> newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
> >>
> >>
>
> _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>
> Chris Newton, Systems Analyst
> Computing Services, University of New Brunswick
> newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010409/d3f8bd69/attachment.html>
More information about the argus
mailing list