[Oisf-users] Suricata and DDoS Attack
Victor Julien
lists at inliniac.net
Wed Jan 27 08:59:43 UTC 2016
On 27-01-16 03:00, Leonard Jacobs wrote:
> With one of the networks we monitor, the ISP was under a DDoS attack
> yesterday. It appears that Suricata kept functioning the whole time the
> attack was occurring because we kept seeing events. However, somewhere
> along the way the IPS appeared to lock up. The appliance was rebooted
> and everything came back to normal.
>
> We run the IPS in AF-Packet mode. The actual network we monitor was not
> directly under the DDoS attack but slow Internet response times was
> experienced.
>
> Is it possible that Suricata was experiencing some resource exhaustion?
> Logs did not show anything wrong.
Hard to say without more info. If it would happen again before killing
Suricata, could you attach to with gdb and create a back trace?
gdb --attach $(pidof suricata)
then inside gdb
(gdb) set logging on
(gdb) thread apply all bt
Then press return till you get back to the prompt. Then type quit. This
process has created a gdb.txt file containing a copy of the output that
describe the state of the different threads. You can then attach this
file to the bug report.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list