[Oisf-users] Suricata and DDoS Attack
Leonard Jacobs
ljacobs at netsecuris.com
Wed Jan 27 13:49:25 UTC 2016
Is Af-Packet like a layer 2 switch in the sense of forwarding packets?
Could it be possible that a forwarding table got corrupted so the software did not know where to send some packets? Because based on the symptoms I shared before, it appears some traffic was making it through. Ping was reported to be working the whole time but more complex packets were having trouble.
Thanks.
Leonard
From: Peter Manev <petermanev at gmail.com>
To: Victor Julien <lists at inliniac.net>
Cc: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Sent: 1/27/2016 4:16 AM
Subject: Re: [Oisf-users] Suricata and DDoS Attack
On Wed, Jan 27, 2016 at 9:59 AM, Victor Julien <lists at inliniac.net> wrote:
> On 27-01-16 03:00, Leonard Jacobs wrote:
>>
>> With one of the networks we monitor, the ISP was under a DDoS attack
>> yesterday. It appears that Suricata kept functioning the whole time the
>> attack was occurring because we kept seeing events. However, somewhere
>> along the way the IPS appeared to lock up. The appliance was rebooted
>> and everything came back to normal.
What do you mean by "lock up" - process stops responding or it
segfaults or something else?
Anything strange in the last update in stats.log?
>>
>> We run the IPS in AF-Packet mode. The actual network we monitor was not
>> directly under the DDoS attack but slow Internet response times was
>> experienced.
>>
>> Is it possible that Suricata was experiencing some resource exhaustion?
>> Logs did not show anything wrong.
>
>
> Hard to say without more info. If it would happen again before killing
> Suricata, could you attach to with gdb and create a back trace?
>
> gdb --attach $(pidof suricata)
>
> then inside gdb
>
> (gdb) set logging on
> (gdb) thread apply all bt
>
>
> Then press return till you get back to the prompt. Then type quit. This
> process has created a gdb.txt file containing a copy of the output that
> describe the state of the different threads. You can then attach this file
> to the bug report.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160127/a2e35e44/attachment-0002.html>
More information about the Oisf-users
mailing list