From: Fletcher Mattox (fletcher@cs.utexas.edu)
Date: Thu Dec 15 2005 - 14:33:18 EST
Hi
We use a Sunfire-280 and Solaris 9 as a syslog server for about
800 machines. All syslog entries are forwarded to the server.
This can create an effective DDoS when a user generates an rsh (or any
other service which uses syslog) to all 800 machines asynchronously.
For example, running something like this will do it:
for f in `cat file_of_800_hostnames` ; do
rsh $f -n date &
done
Now I expect, and can live with, a momentary spike in load on the server
while syslogd logs all these entries. That's normal. But the server
never recovers until syslogd has been killed and restarted. All network
response becomes very sluggish. ping times are measured in seconds,
not milliseconds. It is as if something in the kernel associated with
syslog's port (514/udp) has blocked all other network ports. The load
average climbs to 30+, all waiting on the network. This lasts hours
after the initial event--until syslogd is killed/restarted.
Why doesn't the machine recover? Is there some ndd parameter I
can tweak?
Thanks
Fletcher
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:37:47 EDT