Hello all.<br><br>I'm setting up Spread in a datacenter environment where I have multiple boxes, on multiple subnets, all needing to transmit to one machine (fdc2) for the purpose of collecting logs.<br><br>I recently recieved a ticket claiming that one of my log transmitting machines - the only active one - was performing a broadcast DDOS attack on its entire subnet. Upon further investigation, Spread was located as the culprit.
<br><br>Here is my spread configuration file for your reference.<br><br>Spread_Segment xx.yy.zz.255:4803<br>{<br> fdc2 xx.yy.zz.108<br> fdc33 xx.yy.zz.175<br>}<br>Spread_Segment aa.bb.cc.255:4803<br>{<br>
fdc27 aa.bb.cc.241<br>}<br><br>DebugFlags = { PRINT EXIT }<br>EventLogFile = /var/log/spread.log<br>#EventLogFile = /var/log/spread_%h.log<br>EventTimeStamp = "[%a %d %b %Y %H:%M:%S]"<br>DangerousMonitor = false
<br>#SocketPortReuse = AUTO<br>RuntimeDir = /var/run/spread<br>DaemonUser = spread<br>DaemonGroup = spread<br><br>fdc33 is sending the logs, and fdc2 is recieving the logs.<br><br>Here is the output of spmonitor:<br><br>Monitor> Monitor: send status query
<br><br>============================<br>Status at fdc33 V 3.17. 4 (state 1, gstate 1) after 1016 seconds :<br>Membership : 2 procs in 1 segments, leader is fdc2<br>rounds : 2383 tok_hurry : 1991 memb change: 1
<br>sent pack: 6027 recv pack : 2 retrans : 5956<br>u retrans: 5956 s retrans : 0 b retrans : 0<br>My_aru : 6029 Aru : 6029 Highest seq: 6029<br>Sessions : 1 Groups : 2 Window : 60
<br>Deliver M: 6025 Deliver Pk: 6029 Pers Window: 15<br>Delta Mes: -2969904 Delta Pack: 0 Delta sec : -112811<br>==================================<br><br>Monitor><br>============================
<br>Status at fdc2 V 3.17. 4 (state 1, gstate 1) after 113837 seconds :<br>Membership : 2 procs in 1 segments, leader is fdc2<br>rounds : 2383 tok_hurry : 2435800 memb change: 13<br>sent pack: 15 recv pack : 5864749 retrans : 13
<br>u retrans: 13 s retrans : 0 b retrans : 0<br>My_aru : 6029 Aru : 6029 Highest seq: 6029<br>Sessions : 1 Groups : 2 Window : 60<br>Deliver M: 2975929 Deliver Pk: 3024892 Pers Window: 15
<br>Delta Mes: 2969904 Delta Pack: 0 Delta sec : 112821<br>==================================<br><br>When I run 'tcpdump -i eth0 -n src xx.yy.zz.175 or dst xx.yy.zz.175' and run spflooder on fdc33, I get the following output on a machine within the
xx.yy.zz subnet, which is not listed in the Spread configuration:<br><br>14:27:04.175277 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112<br>14:27:04.175379 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112
<br>14:27:04.175473 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112<br>14:27:04.175574 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112<br>14:27:04.175669 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803
: UDP, length 1112<br>14:27:04.175762 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112<br>14:27:04.175857 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1112<br>14:27:04.175963 IP xx.yy.zz.175.32877
> xx.yy.zz.255.4803: UDP, length 1112<br>14:27:04.176149 IP xx.yy.zz.175.32877 > xx.yy.zz.255.4803: UDP, length 1192<br><br>So, my question is this:<br><br>Why is Spread spamming the entire subnet?<br><br>Why doesn't it list 'b retrans' as a number more than 0 in spmonitor? Why doesn't Spread notice that Multicast and Broadcast don't work, and fall back to Unicast on a per-session rather than (presumably) per-packet basis?
<br><br>Is there an option to change this behaviour?<br><br>Thanks,<br><br>Jan<br>