Argus vs. DDoS

Jesper Skou Jensen jesper.skou.jensen at
Thu Feb 21 03:54:48 EST 2013

On 20-02-2013 20:19, Carter Bullard wrote:
> Hey Jesper Skou Jensen,
> The key to controlling the memory used by argus, are the flow status queue and the protocol idle queue timers, so that argus can forget about its flow caches as soon as possible.  I use a 5 sec status timer, which controls the size of the active queue, but we still have a number of idle queues that hold the caches for little while longer.  Once argus times out the flows in these queues, it completely forgets about the flow, which, when being DoSed, is a good thing.
Very nice, I thought there might be some feature like this, but I didn't 
know what it was called, or where to change it.

Thanks for you help.

> When not being attacked, the side effect of making these changes are that you will end up with some status records that don't know the direction, ( '?' ) in the dir field, not a huge problem.
If necessary, maybe a trip trough racluster would fix the direction?

> The timers can be configured from the argus.conf file, so turn those all down to say 5 sec, and you should ride the storm out a bit better.

Nice. I opted for the commandline option -S instead, I find that easier 
to work with.

> Residual memory is odd and maybe a bug.  It maybe that your kernel doesn't report that the deallocated memory pages are inactive?  You have memory, but the kernel does report it as available?

I don't have the problem at the moment, because I've restarted the Argus 
process since the last DDoS, but as far as I recall it's allocated as 
used and not available to the system. It isn't released until the Argus 
process is restarted.

> Ok, dropped packages, I say packets, you say packages?
> When you're getting DoS'd, the port mirrors can be saturated, which will drop packets, and your libpcap can drop packets.  You can change your PCAP_MEMORY environment variable, using the argus.conf file, which can help immensely to improve probe packet loss, that maybe the best knob for you to turn.
The argus.conf and manpages say:

The example below is intended to set a libpcap ring buffer length to 
300MB, if your system supports this feature.

I'm wondering:
1. What's the default value?
2. How do I know if my system supports that feature? I'm guessing it 
does, since it's a fairly new Linux.
3. Is there a upper limit to the value, or wouldn't it make much sense 
to set higher?


More information about the argus mailing list