[Info-vax] TCPIP tying up system

H Vlems hvlems at freenet.de
Sat Nov 27 16:30:42 EST 2010 

On 27 nov, 13:07, hel... at astro.multiCLOTHESvax.de (Phillip Helbig---
undress to reply) wrote:
> Recently, I've noticed a slowdown which is apparently due to TCPIP
> processes.  However, before I can gain information on them, they go away
> (and others appear).  Usually, it goes away after 5 minutes or so.  I
> notice it every couple of days, so it probably happens several times a
> day.
>
> Today, it tied things up so bad I had to do CTRL-P and reboot.  I
> couldn't access any active sessions and couldn't log in from elsewhere.
>
> Here's a list of processes I collected from another node before the
> reboot:
>
> OpenVMS V7.3-2  on node GLADIA  27-NOV-2010 11:53:07.77  Uptime  252 05:30:56
>   Pid    Process Name    State  Pri      I/O       CPU       Page flts  Pages
> 24060604 TCPIP$SMT_BG416 COM     11      152   0 00:00:18.90      3233    240  N
> 24060E06 TCPIP$SMT_BG452 COM     11      174   0 00:00:21.98   1003864    281  N
> 24061015 TCPIP$SMT_BG461 COM     11      104   0 00:00:20.67   1002070    187  N
> 24000117 TCPIP$INETACP   HIB      8  3018984   0 00:26:04.95     45131    169  
> 24000118 TCPIP$ROUTED    COMO    15       --  swapped  out  --             26  S
> 24000119 TCPIP$PORTM_1   LEFO    14       --  swapped  out  --             21  N
> 2400011A TCPIP$BOOTP_1   LEFO    14       --  swapped  out  --             21  N
> 2400011B TCPIP$FTP_1     LEFO    14       --  swapped  out  --             24  N
> 24060142 TCPIP$SMT_BG570 COM     11      105   0 00:00:16.63    972127    150  N
> 24060A43 TCPIP$SMT_BG580 COM     11      101   0 00:00:16.86    969264    187  N
> 2405F844 TCPIP$SMT_BG631 COM     11       95   0 00:00:14.75    945505    116  N
> 2405FD46 TCPIP$SMT_BG646 COM     11      105   0 00:00:15.03    941674    185  N
> 24060E51 TCPIP$SS_BG1304 COMO    15       --  swapped  out  --              7  N
> 24060F52 TCPIP$SS_BG1672 COMO    15       --  swapped  out  --              7  N
> 24060C78 TCPIP$SM_BG9791 COM     11      174   0 00:00:26.67     49654    259  N
> 24060583 TCPIP$SM_BG9827 COM     11      147   0 00:00:27.42     36428    236  N
> 24060D86 TCPIP$SM_BG9873 COM     11      140   0 00:00:24.86     25645    220  N
>
> MONITOR showed SWAPPER taking the largest CPU share, about 37%.
>
> I suspect some sort of spam flood or DOS attack.
>
> Any ideas what it is?
>
> Any ideas how to prevent it without too large a sacrifice?

Try ACC/since=<date>/type=logfail that might tell you whether the
system was under attack.
Hans

More information about the Info-vax mailing list