[Oisf-users] Suricata load/latency spikes

Cooper F. Nelson cnelson at ucsd.edu
Tue Jun 30 15:52:56 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oh it kicked in alright.  Didn't matter as suricata was still trying to
track tens of thousands of extraneous flows per second, which is what
was crushing the cores.

Btw, the behavior was different depending on how the DOS attack is
implemented.  If the floods are all with the same src/dst port/ip, the
flow hashing will send them all to a single core, which is less of an
issue.  If random source ports are used and/or source IPs spoofed, all
cores get crushed due to new flow keys being generated for each flow.

On 6/30/2015 4:40 AM, Peter Manev wrote:
> Was that really the case(crush) - since some emergency flushing is
> supposed to kick in.
> (The emergency state is activated when the memcap limit is reached)
> 
>> >

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVkrtYAAoJEKIFRYQsa8FWjbwH/2NE9VqJRskcDG22FVU4fprU
KDRwoAaxpQrR2Ys2i+wfm+m0akZhvfTP1+3aDCMM8m9Xc8CrjiXLSvQMk/0a4XvY
OixDGmQFr9T/Wq92CzBfh7xYFYA6cRMNnV5mvkPjBpHtbIjlaSWa/xWBFAq3oXEA
Sdpyd8g9ItpvLph4GrfRkJkeqSHkxqgrSVjSDTHRVnYwGCA1AHajdgwbXmxIAQOs
1DqZ7MuYepP+i+6qInqgutSKk3GdLDGqi092pMLQ7vdDcbvbS3jeqis07a8kWwrE
TntavWFdainIf9ilTtYIMiCNgv2u6DfIxI1F2d/6rDQftes//F5pudfZ7t7xeFM=
=AbgS
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list