[Info-vax] TCPIP tying up system

Richard B. Gilbert rgilbert88 at comcast.net
Mon Nov 29 20:10:54 EST 2010 

On 11/27/2010 7:07 AM, Phillip Helbig---undress to reply wrote:
> Recently, I've noticed a slowdown which is apparently due to TCPIP
> processes.  However, before I can gain information on them, they go away
> (and others appear).  Usually, it goes away after 5 minutes or so.  I
> notice it every couple of days, so it probably happens several times a
> day.
>
> Today, it tied things up so bad I had to do CTRL-P and reboot.  I
> couldn't access any active sessions and couldn't log in from elsewhere.
>
> Here's a list of processes I collected from another node before the
> reboot:
>
> OpenVMS V7.3-2  on node GLADIA  27-NOV-2010 11:53:07.77  Uptime  252 05:30:56
>    Pid    Process Name    State  Pri      I/O       CPU       Page flts  Pages
> 24060604 TCPIP$SMT_BG416 COM     11      152   0 00:00:18.90      3233    240  N
> 24060E06 TCPIP$SMT_BG452 COM     11      174   0 00:00:21.98   1003864    281  N
> 24061015 TCPIP$SMT_BG461 COM     11      104   0 00:00:20.67   1002070    187  N
> 24000117 TCPIP$INETACP   HIB      8  3018984   0 00:26:04.95     45131    169
> 24000118 TCPIP$ROUTED    COMO    15       --  swapped  out  --             26  S
> 24000119 TCPIP$PORTM_1   LEFO    14       --  swapped  out  --             21  N
> 2400011A TCPIP$BOOTP_1   LEFO    14       --  swapped  out  --             21  N
> 2400011B TCPIP$FTP_1     LEFO    14       --  swapped  out  --             24  N
> 24060142 TCPIP$SMT_BG570 COM     11      105   0 00:00:16.63    972127    150  N
> 24060A43 TCPIP$SMT_BG580 COM     11      101   0 00:00:16.86    969264    187  N
> 2405F844 TCPIP$SMT_BG631 COM     11       95   0 00:00:14.75    945505    116  N
> 2405FD46 TCPIP$SMT_BG646 COM     11      105   0 00:00:15.03    941674    185  N
> 24060E51 TCPIP$SS_BG1304 COMO    15       --  swapped  out  --              7  N
> 24060F52 TCPIP$SS_BG1672 COMO    15       --  swapped  out  --              7  N
> 24060C78 TCPIP$SM_BG9791 COM     11      174   0 00:00:26.67     49654    259  N
> 24060583 TCPIP$SM_BG9827 COM     11      147   0 00:00:27.42     36428    236  N
> 24060D86 TCPIP$SM_BG9873 COM     11      140   0 00:00:24.86     25645    220  N
>
> MONITOR showed SWAPPER taking the largest CPU share, about 37%.
>
> I suspect some sort of spam flood or DOS attack.
>
> Any ideas what it is?
>
> Any ideas how to prevent it without too large a sacrifice?
>

If I'm not misreading it, your system is receiving a great deal of mail. 
  Those processes are TCPIP$SMT_xxxxxx and TCPIP$SM_xxxxxx.  If you are 
not expecting large numbers of mail messages, you might want to 
investigate the origin of these connections.

If you determine that someone is mail bombing you, you might want to 
block the offender(s) at the firewall.  You might also want to publish 
the offending address(es) so that others can also block those addresses.

You also seem to have a number of processes swapped out.  The 
TCPIP$SMTP* processes seem to be using a great deal of your memory.  If 
these processes are doing something useful you might want add some 
memory.  If the mail traffic is unwanted try to block it.

More information about the Info-vax mailing list