Argus vs. DDoS

Jesper Skou Jensen jesper.skou.jensen at
Wed Feb 20 06:45:41 EST 2013

Hi guys,

Recently one of the links my Argus box is monitoring has been DDoS'ed a 
number of times, everything from UDP to ICMP and Syn-Floods has been 
thrown at us. When this happens, especially syn-floods the Argus process 
starts eating a lot of RAM and CPU.

When the attack is done the CPU load drops to normal levels, but the RAM 
(Virt and Res) remains high. Until I manually restart the Argus process.

What's worse is that the Argus process appears to be dropping packages. 
When I afterwards analyze the traffic, eg. by running it through ragraph 
I can see that during the attack the bytes/s counters are very low but 
the packages/s goes through the roof.

I'm guessing it's because Argus is trying to keep a state-table for each 
and every TCP session, and since we are usualy flooded by 
thousands/millions of IPs the state-table grows very fast.

Can you guys recommend any tweaks to Argus, eg. some config settings or 
similar, that can help preventing this excessive CPU/RAM usage to happen?

Jesper Skou Jensen

More information about the argus mailing list