DoS woes....

Russell Fulton R.FULTON at auckland.ac.nz
Tue Jan 29 23:26:39 EST 2002 

Hi All,
	We are currently suffering a wave of Syn flood attacks, they last about
15-20 minutes and argus dies a few minutes after the attack starts:
This one started at 16:19:30

Jan 30 16:20:23 hihi argus_linux[22625]: ArgusWriteOutSocket(0x81ec988)
Queue Count 50001 
Jan 30 16:20:53 hihi argus_linux[22625]: ArgusWriteOutSocket(0x81ec988)
Queue Count 96277 
Jan 30 16:21:06 hihi argus_linux[8525]: client(/home/argus/data/current)
done. 
Jan 30 16:21:23 hihi argus_linux[22625]: ArgusWriteOutSocket(0x81ec988)
Queue Count 141188 
Jan 30 16:21:53 hihi argus_linux[22625]: ArgusWriteOutSocket(0x81ec988)
Queue Count 211530 
Jan 30 16:22:23 hihi argus_linux[22625]: ArgusWriteOutSocket(0x81ec988)
Queue Count 255422 
Jan 30 16:22:26 hihi argus_linux[22625]: ArgusWriteOutSocket(0x81ec988)
Queue Exceeded Maximum Limit 
Jan 30 16:22:26 hihi argus_linux[22625]: ArgusHandleClientData:
ArgusWriteOutSocket failed Resource temporarily unavailable 
Jan 30 16:23:09 hihi argus_linux[24730]: ArgusWriteOutSocket(0x83d50f0)
Queue Count 50001 
Jan 30 16:23:39 hihi argus_linux[24730]: ArgusWriteOutSocket(0x83d50f0)
Queue Count 90661 
Jan 30 16:24:10 hihi argus_linux[24730]: ArgusWriteOutSocket(0x83d50f0)
Queue Count 153387 
Jan 30 16:24:40 hihi argus_linux[24730]: ArgusWriteOutSocket(0x83d50f0)
Queue Count 152026 
Jan 30 16:25:10 hihi argus_linux[24730]: ArgusWriteOutSocket(0x83d50f0)
Queue Count 150928 
Jan 30 16:25:40 hihi argus_linux[24730]: ArgusWriteOutSocket(0x83d50f0)
Queue Count 150064 
Jan 30 16:26:10 hihi argus_linux[24730]: ArgusWriteOutSocket(0x83d50f0)
Queue Count 148050 
Jan 30 16:26:40 hihi argus_linux[24730]: ArgusWriteOutSocket(0x83d50f0)
Queue Count 145983 
Jan 30 16:27:10 hihi argus_linux[24730]: ArgusWriteOutSocket(0x83d50f0)
Queue Count 145536 
Jan 30 16:27:30 hihi argus_linux[8523]: ArgusProcessPacket ()
ArgusWriteOutSocket Failed to Multiplexor. Shuting Down 

I am guessing that the problem is that process that is feeding my
watcher script which connects to the server by a socket.  Unfortunately
the whole argus server dies.  

Is there any way to make argus more robust in this situation?  If it is
the network socket that is the problem then killing this off while
keeping the disk logging  would be great.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the argus mailing list