Argus Freezes

[Dave Edelman]

It looks like Argus is being DDoS'd by a SYN flood attack (how Y2k) J

 

I have used Argus and the tools to analyze more DDoS attack data than I care
to think about.  

 

I read in massive PCAP files with the default parameters with no problem
(the exception is that I have MAC address capture enabled for no reason that
makes any difference here.) The 2GB of memory may be your problem, I
generally am running on a system with 8GB.

 

In the attacks that we have been seeing recently, SYN flood is usually a
small part of the initial attack and that phase is typically followed by a
main event of Botnet generated HTTP GETS for nonexistent pages. Since that
type of attack  actually does the TCP 3-way handshake it is usually a much
smaller number of flows and the servers fall over in resource exhaustion.
Your mileage will vary, if the attacker doesn't have access to a Botnet,
then she is stuck with SYN flood, ICMP,  or UDP based attacks.

 

 

--Dave

 

From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Carter Bullard
Sent: Monday, November 15, 2010 12:45 PM
To: Sunjeet Singh
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Argus Freezes

 

The default is 60 seconds, but you may have an /etc/argus.conf file that
overrides this value.

Try "-S 1" just to see how it goes.

 

Carter

 

On Nov 15, 2010, at 12:38 PM, Sunjeet Singh wrote:





Upon more inspection,

1. If I take the -S 86400 clause out of the command, the size of the .argus
file grows quicker. 

2. Most of the lines in the .argus file that is 1.8MB look like-
13:49:55.089264    s       tcp      x     ->      y        14        672
TIM
13:49:55.099318    s       tcp      p     ->      y        14        672
TIM
13:49:55.109202    s       tcp      q     ->      y        14        672
TIM
13:49:55.119555    s       tcp      r     ->      y        14        672
TIM
13:49:55.128928    s       tcp      z     ->      y        14        672
TIM


So it seems like Argus is working but very slowly. I don't know how to
tackle this problem. I have this 1.6 GB pcap file that I want to summarize
to flow-level using Argus but because this is a DDOS trace Argus is very
time consuming. 

I'd greatly appreciate any help on this.
Thank you,
Sunjeet Singh


On 10-11-15 9:12 AM, Sunjeet Singh wrote: 

Hi,

I'm using Argus 3.0.3.18 on 64-bit Mac OS X Snow Leopard.

I am trying to use the command-
argus -S 86400 -r nettrace.pcap -w nettrace.argus

on a file nettrace.pcap of size 1.6 GB and with only tcp packets. This
command keeps running indefinitely. Upon monitoring the size of the
nettrace.argus file when this command is executing, I found that its size is
stagnant at 8 KB and as soon as I abort that command the size becomes 1.8
MB. 

Argus is working great for other (smaller) traces that I am analyzing. The
only thing that makes this trace different from the others is that this is a
trace collected at a host witnessing a DDOS attack.

Can you please help me figure this out?

Thank you,
Sunjeet Singh



 

 

Carter Bullard

CEO/President

QoSient, LLC

150 E 57th Street Suite 12D

New York, New York  10022

 

+1 212 588-9133 Phone

+1 212 588-9134 Fax

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101116/6044667a/attachment.html>