[Oisf-users] Suricata load/latency spikes

Cooper F. Nelson cnelson at ucsd.edu
Mon Jun 29 17:36:27 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Last year I traced down intermittent performance issues w/suricata to
compromised local clients that were participating in a DDOS botnet.
They would periodically SYN flood remote hosts, which would crush the
suricata process as it tried to track millions of new flows in a few
seconds.

They way I found this was I wrote a simple shell script to display top
talkers by IP, which I ran when suricata was under heavy load and
falling over.  I've since created some signatures to look for SYN floods.

In your environment, you could do something similar with argus, netflow
or ntop and see what the top talkers are during your periods of outages.

Re: the DNS issues, I've also seen performance issues due to clients
running bitorrent over port 53.

- -Coop

On 6/29/2015 8:01 AM, Oliver Humpage wrote:
> 
> On 29 Jun 2015, at 14:37, robert.jamison at bt.com wrote:
> 
>> The only non-trivial difference in the before and after stats is
>> that dns.memuse increases by a factor of 3x.
> 
> That's pretty much what I thought too. But it's still only a tiny
> amount, so probably not the issue.
> 
> I've been using systat to look at PPS, and although sometimes I can
> see latency increase with PPS, at other times I can see PPS get to
> nearly 10x above the background average and no ill effects (4k as
> opposed to normal 0.5k). So it's not purely PPS, and it's not
> anything stats.log can point at.
> 
> I might start commenting out rulesets one at a time to see if any
> particular sets are causing issues.
> 
> If anyone else has any ideas, do shout :)
> 
> Thanks,
> 
> Oliver. _______________________________________________ Suricata IDS
> Users mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVkYIaAAoJEKIFRYQsa8FWunsIAK3BtQwnkDzmVVN9/mRIHb61
pZIsdwYE/6ntHg4+1h6W6VAckl7mXMqKpU9jzwbpN6AtGiONyzDjTbBz/Aw1Hfvk
94/e3kmTCnpVzlpLbpKgaBGcxDUV6LOEynjL0UGl9HEFKx7TVTaZfKo3zC+jxVky
6OE9Lb0Bqi8XP5jpCqWGB2+n/saDnFe3q85x+taXZuG8+LZ2juCt6v3QZ0W1XdzK
3SzUcFv1UhwTZnuxPH2Rj39Y4AUKFb3s/eJft1OEHsaXEJ4XITdDrSh28Uw5uzWz
N9CwbrmpeoRo1FYn7MEo48/EwsEwh+fP1lBomERCHHYw4xATIVrW/z7Y+LAdk7M=
=MFOv
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list