Argus Freezes

Carter Bullard carter at qosient.com
Mon Nov 15 12:32:37 EST 2010 

Hey Sunjeet,
I believe you're running out of memory.  With DDoS attacks, you tend to see
a lot of flows, and with your "-S 86400"  option (ARGUS_FLOW_STATUS_INTERVAL)
I suspect that  you are holding a massive number of flows in memory too long.

The "-S secs" option is designed to give you control over the timeliness of
status reporting and to control how long argus will hold the cache for a specific
flow, which eventually helps to control the amount of memory argus uses when
processing packets.  After the ARGUS_FLOW_STATUS_INTERVAL has expired,
argus puts a flow cache on a time out queue, and if there is not additional flow
activity, it will deallocate the memory.  

In DDoS attacks, you tend to see a lot of low packet flows of very short duration.
There is no reason to keep these flows in memory for very long.  Getting a status
report out of argus quickly, and deallocating their memory is important.

With your "-S 1d" option, you will retain every flow cache (which is around 400-800
bytes), and there are, no doubt, a very large number of them.

Try running with a "-S 60" or "-S 5", and then take the output and process it using
racluster(), rabins() or rasqlinsert() to get your 1 status report per day.  racluster()
and rabins() do their aggregation in RAM.  rasqlinsert() provides a mechanism for
using the disk to aggregate very large numbers of flows.

Carter

On Nov 15, 2010, at 12:12 PM, Sunjeet Singh wrote:

> Hi,
> 
> I'm using Argus 3.0.3.18 on 64-bit Mac OS X Snow Leopard.
> 
> I am trying to use the command-
> argus -S 86400 -r nettrace.pcap -w nettrace.argus
> 
> on a file nettrace.pcap of size 1.6 GB and with only tcp packets. This command keeps running indefinitely. Upon monitoring the size of the nettrace.argus file when this command is executing, I found that its size is stagnant at 8 KB and as soon as I abort that command the size becomes 1.8 MB. 
> 
> Argus is working great for other (smaller) traces that I am analyzing. The only thing that makes this trace different from the others is that this is a trace collected at a host witnessing a DDOS attack.
> 
> Can you please help me figure this out?
> 
> Thank you,
> Sunjeet Singh
> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101115/749ae9ea/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101115/749ae9ea/attachment.bin>

More information about the argus mailing list