[Oisf-users] Suricata load/latency spikes

Tue Jun 30 11:40:14 UTC 2015

On Mon, Jun 29, 2015 at 7:36 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Last year I traced down intermittent performance issues w/suricata to
> compromised local clients that were participating in a DDOS botnet.
> They would periodically SYN flood remote hosts, which would crush the
> suricata process as it tried to track millions of new flows in a few
> seconds.

Was that really the case(crush) - since some emergency flushing is
supposed to kick in.
(The emergency state is activated when the memcap limit is reached)

>
> They way I found this was I wrote a simple shell script to display top
> talkers by IP, which I ran when suricata was under heavy load and
> falling over.  I've since created some signatures to look for SYN floods.
>
> In your environment, you could do something similar with argus, netflow
> or ntop and see what the top talkers are during your periods of outages.
>
> Re: the DNS issues, I've also seen performance issues due to clients
> running bitorrent over port 53.
>
> - -Coop
>
> On 6/29/2015 8:01 AM, Oliver Humpage wrote:
>>
>> On 29 Jun 2015, at 14:37, robert.jamison at bt.com wrote:
>>
>>> The only non-trivial difference in the before and after stats is
>>> that dns.memuse increases by a factor of 3x.
>>
>> That's pretty much what I thought too. But it's still only a tiny
>> amount, so probably not the issue.
>>
>> I've been using systat to look at PPS, and although sometimes I can
>> see latency increase with PPS, at other times I can see PPS get to
>> nearly 10x above the background average and no ill effects (4k as
>> opposed to normal 0.5k). So it's not purely PPS, and it's not
>> anything stats.log can point at.
>>
>> I might start commenting out rulesets one at a time to see if any
>> particular sets are causing issues.
>>
>> If anyone else has any ideas, do shout :)
>>
>> Thanks,
>>
>> Oliver. _______________________________________________ Suricata IDS
>> Users mailing list: oisf-users at openinfosecfoundation.org Site:
>> http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>>
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJVkYIaAAoJEKIFRYQsa8FWunsIAK3BtQwnkDzmVVN9/mRIHb61
> pZIsdwYE/6ntHg4+1h6W6VAckl7mXMqKpU9jzwbpN6AtGiONyzDjTbBz/Aw1Hfvk
> 94/e3kmTCnpVzlpLbpKgaBGcxDUV6LOEynjL0UGl9HEFKx7TVTaZfKo3zC+jxVky
> 6OE9Lb0Bqi8XP5jpCqWGB2+n/saDnFe3q85x+taXZuG8+LZ2juCt6v3QZ0W1XdzK
> 3SzUcFv1UhwTZnuxPH2Rj39Y4AUKFb3s/eJft1OEHsaXEJ4XITdDrSh28Uw5uzWz
> N9CwbrmpeoRo1FYn7MEo48/EwsEwh+fP1lBomERCHHYw4xATIVrW/z7Y+LAdk7M=
> =MFOv
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

-- 
Regards,
Peter Manev