[Oisf-users] Suricata and DDoS Attack
Leonard Jacobs
ljacobs at netsecuris.com
Wed Jan 27 13:15:34 UTC 2016
Thanks.
We will try if we can SSH into the appliance when it was in this condition.
I don't know if it makes a difference but we had upgraded Suricata to version 2.0.11 about 2 to 3 days before this incident was reported to us. We had also compiled it with geoIP, JSON, and LUA support when we did the upgrade.
Leonard
From: Victor Julien <lists at inliniac.net>
To: <oisf-users at lists.openinfosecfoundation.org>
Sent: 1/27/2016 2:59 AM
Subject: Re: [Oisf-users] Suricata and DDoS Attack
On 27-01-16 03:00, Leonard Jacobs wrote:
> With one of the networks we monitor, the ISP was under a DDoS attack
> yesterday. It appears that Suricata kept functioning the whole time the
> attack was occurring because we kept seeing events. However, somewhere
> along the way the IPS appeared to lock up. The appliance was rebooted
> and everything came back to normal.
>
> We run the IPS in AF-Packet mode. The actual network we monitor was not
> directly under the DDoS attack but slow Internet response times was
> experienced.
>
> Is it possible that Suricata was experiencing some resource exhaustion?
> Logs did not show anything wrong.
Hard to say without more info. If it would happen again before killing
Suricata, could you attach to with gdb and create a back trace?
gdb --attach $(pidof suricata)
then inside gdb
(gdb) set logging on
(gdb) thread apply all bt
Then press return till you get back to the prompt. Then type quit. This
process has created a gdb.txt file containing a copy of the output that
describe the state of the different threads. You can then attach this
file to the bug report.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160127/cf7330b7/attachment-0002.html>
More information about the Oisf-users
mailing list