[Oisf-users] Suricata load/latency spikes

Peter Manev petermanev at gmail.com
Sun Jul 5 08:52:13 UTC 2015


On Tue, Jun 30, 2015 at 5:52 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Oh it kicked in alright.  Didn't matter as suricata was still trying to
> track tens of thousands of extraneous flows per second, which is what
> was crushing the cores.
>
> Btw, the behavior was different depending on how the DOS attack is
> implemented.  If the floods are all with the same src/dst port/ip, the
> flow hashing will send them all to a single core, which is less of an
> issue.  If random source ports are used and/or source IPs spoofed, all
> cores get crushed due to new flow keys being generated for each flow.


Ok -  but the emergency mode was working as expected, correct?

>
> On 6/30/2015 4:40 AM, Peter Manev wrote:
>> Was that really the case(crush) - since some emergency flushing is
>> supposed to kick in.
>> (The emergency state is activated when the memcap limit is reached)
>>
>>> >
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJVkrtYAAoJEKIFRYQsa8FWjbwH/2NE9VqJRskcDG22FVU4fprU
> KDRwoAaxpQrR2Ys2i+wfm+m0akZhvfTP1+3aDCMM8m9Xc8CrjiXLSvQMk/0a4XvY
> OixDGmQFr9T/Wq92CzBfh7xYFYA6cRMNnV5mvkPjBpHtbIjlaSWa/xWBFAq3oXEA
> Sdpyd8g9ItpvLph4GrfRkJkeqSHkxqgrSVjSDTHRVnYwGCA1AHajdgwbXmxIAQOs
> 1DqZ7MuYepP+i+6qInqgutSKk3GdLDGqi092pMLQ7vdDcbvbS3jeqis07a8kWwrE
> TntavWFdainIf9ilTtYIMiCNgv2u6DfIxI1F2d/6rDQftes//F5pudfZ7t7xeFM=
> =AbgS
> -----END PGP SIGNATURE-----



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list