[Spread-users] Spread broadcast spam?

Jan Mulders lastchancehotel at gmail.com
Mon Jun 18 14:48:06 EDT 2007 

Hello all.

I'm setting up Spread in a datacenter environment where I have multiple
boxes, on multiple subnets, all needing to transmit to one machine (fdc2)
for the purpose of collecting logs.

I recently recieved a ticket claiming that one of my log transmitting
machines - the only active one - was performing a broadcast DDOS attack on
its entire subnet. Upon further investigation, Spread was located as the
culprit.

Here is my spread configuration file for your reference.

Spread_Segment xx.yy.zz.255:4803
{
        fdc2    xx.yy.zz.108
        fdc33   xx.yy.zz.175
}
Spread_Segment aa.bb.cc.255:4803
{
        fdc27   aa.bb.cc.241
}

DebugFlags = { PRINT EXIT }
EventLogFile = /var/log/spread.log
#EventLogFile = /var/log/spread_%h.log
EventTimeStamp = "[%a %d %b %Y %H:%M:%S]"
DangerousMonitor = false
#SocketPortReuse = AUTO
RuntimeDir = /var/run/spread
DaemonUser = spread
DaemonGroup = spread

fdc33 is sending the logs, and fdc2 is recieving the logs.

Here is the output of spmonitor:

Monitor> Monitor: send status query

============================
Status at fdc33 V 3.17. 4 (state 1, gstate 1) after 1016 seconds :
Membership  :  2  procs in 1 segments, leader is fdc2
rounds   :    2383      tok_hurry :    1991     memb change:       1
sent pack:    6027      recv pack :       2     retrans    :    5956
u retrans:    5956      s retrans :       0     b retrans  :       0
My_aru   :    6029      Aru       :    6029     Highest seq:    6029
Sessions :       1      Groups    :       2     Window     :      60
Deliver M:    6025      Deliver Pk:    6029     Pers Window:      15
Delta Mes: -2969904     Delta Pack:       0     Delta sec  : -112811
==================================

Monitor>
============================
Status at fdc2 V 3.17. 4 (state 1, gstate 1) after 113837 seconds :
Membership  :  2  procs in 1 segments, leader is fdc2
rounds   :    2383      tok_hurry : 2435800     memb change:      13
sent pack:      15      recv pack : 5864749     retrans    :      13
u retrans:      13      s retrans :       0     b retrans  :       0
My_aru   :    6029      Aru       :    6029     Highest seq:    6029
Sessions :       1      Groups    :       2     Window     :      60
Deliver M: 2975929      Deliver Pk: 3024892     Pers Window:      15
Delta Mes: 2969904      Delta Pack:       0     Delta sec  :  112821
==================================

When I run 'tcpdump -i eth0 -n src xx.yy.zz.175 or dst xx.yy.zz.175' and run
spflooder on fdc33, I get the following output on a machine within the
xx.yy.zz subnet, which is not listed in the Spread configuration:

14:27:04.175277 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112
14:27:04.175379 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112
14:27:04.175473 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112
14:27:04.175574 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112
14:27:04.175669 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112
14:27:04.175762 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112
14:27:04.175857 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112
14:27:04.175963 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112
14:27:04.176149 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1192

So, my question is this:

Why is Spread spamming the entire subnet?

Why doesn't it list 'b retrans' as a number more than 0 in spmonitor? Why
doesn't Spread notice that Multicast and Broadcast don't work, and fall back
to Unicast on a per-session rather than (presumably) per-packet basis?

Is there an option to change this behaviour?

Thanks,

Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.spread.org/pipermail/spread-users/attachments/20070618/258c00cb/attachment.html

More information about the Spread-users mailing list