[Oisf-users] Suricata and DDoS Attack

Victor Julien lists at inliniac.net
Wed Jan 27 08:59:43 UTC 2016

On 27-01-16 03:00, Leonard Jacobs wrote:
> With one of the networks we monitor, the ISP was under a DDoS attack
> yesterday.  It appears that Suricata kept functioning the whole time the
> attack was occurring because we kept seeing events.  However, somewhere
> along the way the IPS appeared to lock up.  The appliance was rebooted
> and everything came back to normal.
> We run the IPS in AF-Packet mode.  The actual network we monitor was not
> directly under the DDoS attack but slow Internet response times was
> experienced.
> Is it possible that Suricata was experiencing some resource exhaustion?
> Logs did not show anything wrong.

Hard to say without more info. If it would happen again before killing 
Suricata, could you attach to with gdb and create a back trace?

gdb --attach $(pidof suricata)

then inside gdb

(gdb) set logging on
(gdb) thread apply all bt

Then press return till you get back to the prompt. Then type quit. This 
process has created a gdb.txt file containing a copy of the output that 
describe the state of the different threads. You can then attach this 
file to the bug report.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list