LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-12-2005, 11:51 PM   #1
electron707
LQ Newbie
 
Registered: Jul 2004
Posts: 6

Rep: Reputation: 0
high cpu utilization under heavy traffic load


I am using Mandrake 10.0 powerpack, with Shorewall as the firewall, I am observing very high CPU utilization loads due to DROP packets from Net. Someone is flooding the server at the various ports, the ports are being blocked by the firewall but the cpu utilization goes very very high. on the other hand if i disable the firewall, then the cpu utilization goes normal.

how i am supposed to handle the situation?
 
Old 01-13-2005, 12:15 AM   #2
barryman_5000
Member
 
Registered: Jan 2005
Distribution: Gentoo/Vector/Debian
Posts: 95

Rep: Reputation: 15
renice the firewall? If its being packet'd I wouldn't disable the firewall. If you renice it to 19 then everything should still run just fine . . . but if the packeting stops then restore its original niceness.
 
Old 01-13-2005, 12:17 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
A good way to start is by using tcpdump or ethereal to capture a few packets to see what's going on, so that you can verify it is malicious in nature as well as get a idea of the specific type of traffic you're dealing with. There are various measures you can take that are dependant on what kind of traffic you're seeing.

If it is malicious, then you definitely want to notify your ISP as well as the owner of the netblock that the traffic is originating in (you can usually find an abuse@ address using a whois lookup). From there, you can try turning off connection tracking (lots of resource consumption tracking connection states) and use simple packet filtering. You can also try adjusting several of the sysctl networking parameters (shorten connection timeouts). If you're dealing with a syn flood, then turning on tcp_syncookies may help too. Seeing what type of traffic is hitting your box will help to narrow down the best options (in theory .

Finally, make sure that your kernel and iptables versions are current. There are several DoS vulnerabilities (including CPU resource consumption) in older versions.
 
Old 01-13-2005, 05:02 AM   #4
electron707
LQ Newbie
 
Registered: Jul 2004
Posts: 6

Original Poster
Rep: Reputation: 0
I have tried to log down what type of traffic is flooding the PC, some remote IP is trying to continuously send TCP packet on 3128 (squid-port) on my server ip.

This computer is being used as a Squid-proxy server for the internal (~50 users) lan, and have a Real-IP on the Internet Interface. The Firewall is contuously dropping the incoming request on the 3128 from the Internet Interface, but the speed of the incoming packets is very very fast.....The server is connected with a 512Kbps dedicated internet.
 
Old 01-13-2005, 08:59 AM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Start out with turning tcp_syncookies on with:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Tcp_syncookies forces any new connection attempts to be validated by the remote host before it's entered into the connection tracking table (basically a SYN-ACK is sent to the host with a special non-random sequence number that must be acknowledged). This reduces the amount of resources a SYN flood can consume. However, the syn_cookies mechanism isn't turned on until your max syn backlog is reached, so that may need to be modified as well if syncookies aren't triggered. Second, call your ISPs abuse or NOC and tell them what your experiencing. See if they can temporarlly null route traffic from that IP until it stops.

You can also try decreasing the value of /proc/sys/net/ipv4/tcp_synack_retries (should be 5 by default), but reducing it to 3 or 4 should decrease the connection timeout on un-replied syns from 180 to ~100-135 seconds. Remember to pay close attention after adjusting networking parameters as it may cause your own hosts and legitamate clients to have problems as well.

Finally, you might want to make sure that squid doesn't allow proxying to remote hosts on the internet, as the trafffic your seeing might be someone attempting to use you to proxy a large amt of traffic and not an actual attack per se.

Last edited by Capt_Caveman; 01-13-2005 at 09:03 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache heavy CPU load bretticus Linux - Networking 0 06-11-2005 02:49 PM
RH8 Load Average High - No CPU Utilization jj91709 Red Hat 2 08-29-2004 12:28 AM
Heavy Utilization of the CPU when playing back DVDs TheOneKEA Linux - Software 6 05-14-2004 10:23 AM
Why am I getting ?high? CPU load? pnh73 Linux - General 15 10-21-2003 10:36 AM
cpu utilization in windows xp too high... spyghost General 3 10-15-2003 07:23 AM


All times are GMT -5. The time now is 12:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration