Argus vs. DDoS

Thu Feb 21 05:03:40 EST 2013

Hey Jesper,
I don't know.  I did the support when the feature came out, but haven't paid much attention to it in a while, but others use it a bit.

By using the -S option, you set the active status queue timeout.  That may solve all the problems, but if not, tweak the other timers in the conf file.  TCP is the biggest issue, as it has the longest timeouts.

Hope all is most excellent,

Carter

On Feb 21, 2013, at 3:54 AM, Jesper Skou Jensen <jesper.skou.jensen at uni-c.dk> wrote:

> On 20-02-2013 20:19, Carter Bullard wrote:
>> Hey Jesper Skou Jensen,
>> The key to controlling the memory used by argus, are the flow status queue and the protocol idle queue timers, so that argus can forget about its flow caches as soon as possible.  I use a 5 sec status timer, which controls the size of the active queue, but we still have a number of idle queues that hold the caches for little while longer.  Once argus times out the flows in these queues, it completely forgets about the flow, which, when being DoSed, is a good thing.
> Very nice, I thought there might be some feature like this, but I didn't know what it was called, or where to change it.
> 
> Thanks for you help.
> 
>> When not being attacked, the side effect of making these changes are that you will end up with some status records that don't know the direction, ( '?' ) in the dir field, not a huge problem.
> If necessary, maybe a trip trough racluster would fix the direction?
> 
> 
>> The timers can be configured from the argus.conf file, so turn those all down to say 5 sec, and you should ride the storm out a bit better.
> 
> Nice. I opted for the commandline option -S instead, I find that easier to work with.
> 
>> Residual memory is odd and maybe a bug.  It maybe that your kernel doesn't report that the deallocated memory pages are inactive?  You have memory, but the kernel does report it as available?
> 
> I don't have the problem at the moment, because I've restarted the Argus process since the last DDoS, but as far as I recall it's allocated as used and not available to the system. It isn't released until the Argus process is restarted.
> 
>> Ok, dropped packages, I say packets, you say packages?
>> When you're getting DoS'd, the port mirrors can be saturated, which will drop packets, and your libpcap can drop packets.  You can change your PCAP_MEMORY environment variable, using the argus.conf file, which can help immensely to improve probe packet loss, that maybe the best knob for you to turn.
> The argus.conf and manpages say:
> 
> .....
> The example below is intended to set a libpcap ring buffer length to 300MB, if your system supports this feature.
> ARGUS_ENV="PCAP_MEMORY=300000"
> .....
> 
> I'm wondering:
> 1. What's the default value?
> 2. How do I know if my system supports that feature? I'm guessing it does, since it's a fairly new Linux.
> 3. Is there a upper limit to the value, or wouldn't it make much sense to set higher?
> 
> 
> Regards
> Jesper
> 