[Oisf-users] Drops: From none to gigantic in the blink of an eye

Cloherty, Sean E scloherty at mitre.org
Wed Mar 23 19:26:04 UTC 2016 

Thank you Cooper,

I will give this a try.  Though I would assume that the SYN flood would still show up as increased network traffic on the interface. This is a test machine, but I do have it integrated into our production Zabbix monitor so I can keep an eye on it.

Does anyone think it might be a symptom of a memory leak?  Would it be worthwhile testing Victor's suggestion before trying the new RC that was released?

-----Original Message-----
From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
Sent: Wednesday, March 23, 2016 13:07 PM
To: Cloherty, Sean E <scloherty at mitre.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Drops: From none to gigantic in the blink of an eye

I spent a week or so chasing down problems like this and it turned out to be due to SYN floods (both inbound and outbound) from clients participating in a DOS attack.

When this happens you won't see anything out-of-the ordinary on the sensor, other than high CPU load and packet drops.

I put together some sigs to detect this, copied below.  You may need to tune the threshold settings for your network.

> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS Unusually 
> fast SYN packets inbound, Potential DOS"; flags: S,12; threshold: type 
> both, track by_dst, count 5000, seconds 5; classtype:misc-activity; 
> sid:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS 
> Unusually fast SYN packets outbound, Potential DOS"; flags: S,12; 
> threshold: type both, track by_dst, count 5000, seconds 5; 
> classtype:misc-activity; sid:6;)

Btw, this isn't a guarantee as to what you are seeing.  These sigs also may put a high load on your sensor, so keep that in mind.

-Coop

On 3/23/2016 9:12 AM, Cloherty, Sean E wrote:
> Our Suricata installation went from normal to completely haywire 
> overnight Tuesday.  It was cruising along with very low packet loss
> (0.002%) when suddenly between 2:24 and 2:29 AM it began to grow 
> extremely rapidly.
> 
>  
> 
> So far ‘ve checked and
> 
>  
> 
> -          NIC stats for errors or drops are very few(at bottom of email)
> 
> -          There were no changes to server Tuesday AM to account for this
> 
> -          Network traffic just before and after exhibited no major
> change of volume. 
> 
> -          No errors are visible in the messages file, or Suricata logs
> that appear out of the ordinary.
> 
> -          Since that time RAM usage and CPU utilization is much higher
> (no surprise)
> 
>  
> 
> The most pertinent data is below or attached. Any input at all would 
> be helpful to say the least . . .
> 
>  
> 
>  
> 
>  
> 


--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

More information about the Oisf-users mailing list