[Oisf-users] Suricata and DDoS Attack

Peter Manev petermanev at gmail.com
Fri Jan 29 13:18:34 UTC 2016


On Wed, Jan 27, 2016 at 2:49 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> Is Af-Packet like a layer 2 switch in the sense of forwarding packets?

Yes

>
> Could it be possible that a forwarding table got corrupted so the software
> did not know where to send some packets?  Because based on the symptoms I
> shared before, it appears some traffic was making it through.  Ping was
> reported to be working the whole time but more complex packets were having
> trouble.
>

Maybe - how can you be sure though? Is there a way that could be
checked for sure?

> Thanks.
>
> Leonard
>
>
>
> From: Peter Manev <petermanev at gmail.com>
> To: Victor Julien <lists at inliniac.net>
> Cc: "oisf-users at lists.openinfosecfoundation.org"
> <oisf-users at lists.openinfosecfoundation.org>
> Sent: 1/27/2016 4:16 AM
> Subject: Re: [Oisf-users] Suricata and DDoS Attack
>
> On Wed, Jan 27, 2016 at 9:59 AM, Victor Julien <lists at inliniac.net> wrote:
>> On 27-01-16 03:00, Leonard Jacobs wrote:
>>>
>>> With one of the networks we monitor, the ISP was under a DDoS attack
>>> yesterday.  It appears that Suricata kept functioning the whole time the
>>> attack was occurring because we kept seeing events.  However, somewhere
>>> along the way the IPS appeared to lock up.  The appliance was rebooted
>>> and everything came back to normal.
>
>
> What do you mean by "lock up"   - process stops responding or it
> segfaults or something else?
> Anything strange in the last update in stats.log?
>
>>>
>>> We run the IPS in AF-Packet mode.  The actual network we monitor was not
>>> directly under the DDoS attack but slow Internet response times was
>>> experienced.
>>>
>>> Is it possible that Suricata was experiencing some resource exhaustion?
>>> Logs did not show anything wrong.
>>
>>
>> Hard to say without more info. If it would happen again before killing
>> Suricata, could you attach to with gdb and create a back trace?
>>
>> gdb --attach $(pidof suricata)
>>
>> then inside gdb
>>
>> (gdb) set logging on
>> (gdb) thread apply all bt
>>
>>
>> Then press return till you get back to the prompt. Then type quit. This
>> process has created a gdb.txt file containing a copy of the output that
>> describe the state of the different threads. You can then attach this file
>> to the bug report.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list