[Info-vax] TCPIP tying up system

Richard B. Gilbert rgilbert88 at comcast.net
Sun Nov 28 10:05:57 EST 2010 

On 11/27/2010 4:30 PM, H Vlems wrote:
> On 27 nov, 13:07, hel... at astro.multiCLOTHESvax.de (Phillip Helbig---
> undress to reply) wrote:
>> Recently, I've noticed a slowdown which is apparently due to TCPIP
>> processes.  However, before I can gain information on them, they go away
>> (and others appear).  Usually, it goes away after 5 minutes or so.  I
>> notice it every couple of days, so it probably happens several times a
>> day.
>>
>> Today, it tied things up so bad I had to do CTRL-P and reboot.  I
>> couldn't access any active sessions and couldn't log in from elsewhere.
>>
>> Here's a list of processes I collected from another node before the
>> reboot:
>>
>> OpenVMS V7.3-2  on node GLADIA  27-NOV-2010 11:53:07.77  Uptime  252 05:30:56
>>    Pid    Process Name    State  Pri      I/O       CPU       Page flts  Pages
>> 24060604 TCPIP$SMT_BG416 COM     11      152   0 00:00:18.90      3233    240  N
>> 24060E06 TCPIP$SMT_BG452 COM     11      174   0 00:00:21.98   1003864    281  N
>> 24061015 TCPIP$SMT_BG461 COM     11      104   0 00:00:20.67   1002070    187  N
>> 24000117 TCPIP$INETACP   HIB      8  3018984   0 00:26:04.95     45131    169
>> 24000118 TCPIP$ROUTED    COMO    15       --  swapped  out  --             26  S
>> 24000119 TCPIP$PORTM_1   LEFO    14       --  swapped  out  --             21  N
>> 2400011A TCPIP$BOOTP_1   LEFO    14       --  swapped  out  --             21  N
>> 2400011B TCPIP$FTP_1     LEFO    14       --  swapped  out  --             24  N
>> 24060142 TCPIP$SMT_BG570 COM     11      105   0 00:00:16.63    972127    150  N
>> 24060A43 TCPIP$SMT_BG580 COM     11      101   0 00:00:16.86    969264    187  N
>> 2405F844 TCPIP$SMT_BG631 COM     11       95   0 00:00:14.75    945505    116  N
>> 2405FD46 TCPIP$SMT_BG646 COM     11      105   0 00:00:15.03    941674    185  N
>> 24060E51 TCPIP$SS_BG1304 COMO    15       --  swapped  out  --              7  N
>> 24060F52 TCPIP$SS_BG1672 COMO    15       --  swapped  out  --              7  N
>> 24060C78 TCPIP$SM_BG9791 COM     11      174   0 00:00:26.67     49654    259  N
>> 24060583 TCPIP$SM_BG9827 COM     11      147   0 00:00:27.42     36428    236  N
>> 24060D86 TCPIP$SM_BG9873 COM     11      140   0 00:00:24.86     25645    220  N
>>
>> MONITOR showed SWAPPER taking the largest CPU share, about 37%.
>>
>> I suspect some sort of spam flood or DOS attack.
>>
>> Any ideas what it is?
>>
>> Any ideas how to prevent it without too large a sacrifice?
>
> Try ACC/since=<date>/type=logfail that might tell you whether the
> system was under attack.
> Hans

It would be a lot of work, but you could identify the addresses sending 
the junk and block them.  Or, you might try using an ISP such as Comcast 
that blocks 99.44% of the crud.

Back in the 1990s, I wrote a simple spam filter based on subject lines. 
  AIRC strings like "Pharm" and "$$$" were sufficient reason to block 
the mail.  Such mail went into a "Spam" folder that I checked and 
deleted every couple of days.  It's more complicated now!  <sigh>

A lot of garbage used to come from 218.*.*.*, probably still does but 
it's blocked and I never see it.

More information about the Info-vax mailing list