[Oisf-users] Suricata and DDoS Attack

Leonard Jacobs ljacobs at netsecuris.com
Wed Jan 27 13:15:34 UTC 2016


We will try if we can SSH into the appliance when it was in this condition.

I don't know if it makes a difference but we had upgraded Suricata to version 2.0.11 about 2 to 3 days before this incident was reported to us.  We had also compiled it with geoIP, JSON, and LUA support when we did the upgrade.


 From:   Victor Julien <lists at inliniac.net> 
 To:   <oisf-users at lists.openinfosecfoundation.org> 
 Sent:   1/27/2016 2:59 AM 
 Subject:   Re: [Oisf-users] Suricata and DDoS Attack 

On 27-01-16 03:00, Leonard Jacobs wrote:
> With one of the networks we monitor, the ISP was under a DDoS attack
> yesterday.  It appears that Suricata kept functioning the whole time the
> attack was occurring because we kept seeing events.  However, somewhere
> along the way the IPS appeared to lock up.  The appliance was rebooted
> and everything came back to normal.
> We run the IPS in AF-Packet mode.  The actual network we monitor was not
> directly under the DDoS attack but slow Internet response times was
> experienced.
> Is it possible that Suricata was experiencing some resource exhaustion?
> Logs did not show anything wrong.

Hard to say without more info. If it would happen again before killing 
Suricata, could you attach to with gdb and create a back trace?

gdb --attach $(pidof suricata)

then inside gdb

(gdb) set logging on
(gdb) thread apply all bt

Then press return till you get back to the prompt. Then type quit. This 
process has created a gdb.txt file containing a copy of the output that 
describe the state of the different threads. You can then attach this 
file to the bug report.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160127/cf7330b7/attachment-0002.html>

More information about the Oisf-users mailing list