Argus vs. DDoS
Jesper Skou Jensen
jesper.skou.jensen at uni-c.dk
Wed Feb 20 06:45:41 EST 2013
Hi guys,
Recently one of the links my Argus box is monitoring has been DDoS'ed a
number of times, everything from UDP to ICMP and Syn-Floods has been
thrown at us. When this happens, especially syn-floods the Argus process
starts eating a lot of RAM and CPU.
When the attack is done the CPU load drops to normal levels, but the RAM
(Virt and Res) remains high. Until I manually restart the Argus process.
What's worse is that the Argus process appears to be dropping packages.
When I afterwards analyze the traffic, eg. by running it through ragraph
I can see that during the attack the bytes/s counters are very low but
the packages/s goes through the roof.
I'm guessing it's because Argus is trying to keep a state-table for each
and every TCP session, and since we are usualy flooded by
thousands/millions of IPs the state-table grows very fast.
Can you guys recommend any tweaks to Argus, eg. some config settings or
similar, that can help preventing this excessive CPU/RAM usage to happen?
Regards
Jesper Skou Jensen
More information about the argus
mailing list