[Oisf-users] Drops: From none to gigantic in the blink of an eye
Cooper F. Nelson
cnelson at ucsd.edu
Wed Mar 23 19:33:40 UTC 2016
The thing about SYN floods is that don't generate that much traffic.
They are designed to DOS hosts, not networks. And it only takes a few
mbits of SYN packets from spoofed source addresses/ports to DOS a
suricata sensor, due to flow hashing/tracking.
If it's a memory leak you should be able to see that by running top and
monitoring memory usage, which looks ok in your case.
If it's an issue with the flow memory-cap I would think you be seeing
lots of messages in the suricata log about flow-emergency mode.
-Coop
On 3/23/2016 12:26 PM, Cloherty, Sean E wrote:
> Thank you Cooper,
>
> I will give this a try. Though I would assume that the SYN flood
> would still show up as increased network traffic on the interface.
> This is a test machine, but I do have it integrated into our
> production Zabbix monitor so I can keep an eye on it.
>
> Does anyone think it might be a symptom of a memory leak? Would it
> be worthwhile testing Victor's suggestion before trying the new RC
> that was released?
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160323/6d43f2af/attachment-0002.sig>
More information about the Oisf-users
mailing list