[hobbit] Flooding hobbit

Henrik Stoerner henrik at hswn.dk
Mon Apr 21 22:51:28 CEST 2008


On Fri, Apr 18, 2008 at 09:03:56AM +0800, Everett, Vernon wrote:
> Hoping somebody has encountered this before.
> We have put BBWin on a few Windoze servers, but one of the, a DC, has a
> HUGE event log.
> So large, that hobbit is freaking out, and doing the "Data flooding from
> 1.2.3.4, closing connection" thing.
>  
> I know this is hobbit protecting iteself from a DOS attack, but is there
> a way around this?
> Can I somehow tell hobbit not to do this for that IP address?

No.

> Unfortunately, because of its function, we can't reduce the logging on
> the Windoze server, so we need to either
>     a) get hobbit to handle the problem (desirable solution)

Only way to do that would be to change the MAX_HOBBIT_INBUFSZ definition
in hobbitd/hobbitd.c. It is currently 10 MB:

  /*
   * The absolute maximum size we'll grow our buffers to accomodate an
   * incoming message.
   * This is really just an upper bound to squash the bad guys trying to
   * data-flood us.
   */
   
   #define MAX_HOBBIT_INBUFSZ (10*1024*1024)       /* 10 MB */


Regards,
Henrik




More information about the Xymon mailing list