Providers, how common is node abuse by consumers today and what do you do to combat it?

dmmcintyre3

@KuJoe said: All of a sudden you're running kill commands as root on the host node with the assumption that the process ID is correct.

vzctl exec $ctid kill $pid

Then you don't have that problem.

AnthonySmith

I like a challenge , I will have a play over Christmas, put a crappy server up and invite some resource abuse from the community once I have loaded it up with my scripts.

I think I will call the system, silentnights should be fun.

pubcrawler

Sounds interesting @Zen. Is that script something you would make available or sell to those interested? Seems like a good hearty demand for something like that.

pubcrawler

Yikes, sorry @Zen. Maybe make it donation-ware. Or signup to give it a spin. Something...

I'm not a provider, but want to see providers swim and not drown from node abuse. Better for industry.

jar

@Zen Charge or take donations. I could use a good push on some scripts. I'm not the worst at making my own but just bad enough that its entirely too time consuming.

chihcherng

@KuJoe said: If a VPS exceeds a certain load level for X minutes (I forget the setting off hand) the VPS is restarted.

I was wondering how to identify the abuser reliably.

According to Wiki, for load average, "However, Linux also includes processes in uninterruptible sleep states (usually waiting for disk activity), which can lead to markedly different results if many processes remain blocked in I/O due to a busy or stalled I/O system." So if someone is abusing disk IO and the disk becomes buzy, one of his neighbors with many processes waiting for the disk subsystem could have a high load, be mistaken for an abuser, and get his VPS restarted unnecessarily.

A snapshot of my vps (under vserver, and I don't know how to post images here):
postimage.org/image/t0z5k66wn/

Many small processes (each less than 1MB), per process cpu utilization at 0%, total ram consumption around 80MB. My resource usage is really minimal, yet the load average is around 25. Will I be mistaken for an abuser and get my vps restarted/suspended/terminated?

Under Linux, IMO, load average is not a reliable indicator for abusers.

KuJoe

@chihcherng said: I was wondering how to identify the abuser reliably.

It's been reliable enough for us and have not had a single false positive ever since we switched to our RAID10 setup and we do a lot of manual checking before we suspend or terminate anybody. This is why we have our e-mails output the top 10 processes as well as a complete output of io usage to make sure we are catching the correct culprit.

In your example your VPS would be getting rebooted frequently but because of our proactive approach and constant monitoring if any of our nodes ever hit 25 it wouldn't stay that way for very long. I am not familiar with vserver so I cannot comment on how it handles loads/CPU/reporting but I would suggest you contact your server provider if your VPS has a load average of 25.

Rule of thumb for us, if the load is over 4.00 it generates a warning, over 10 we get an a critical alert, over 20 and the e-mails start flooding in every few minutes.

chihcherng

@Zen said: I cross reference load with processes to make sure this does not happen.

Could you give a sketch of how you do it? I guess this will help many vps providers find the real abusers of system resource. As more providers know about this, legit vps users will also be less likely to be mistaken for abusers.

@KuJoe said: I am not familiar with vserver so I cannot comment on how it handles loads/CPU/reporting but I would suggest you contact your server provider if your VPS has a load average of 25.

Thanks for the suggestion. But the vps with load above 20 still feels as responsive as it is with load below 1. Still quite speedy. Perhaps what I get is the load average for the node as a whole?

Another snapshot when I haven't start exim:
postimage.org/image/3spo24v8l/

The load average is around 24.

rds100

@Zen vzctl exec is a bad idea. Better use vzps

rds100

@Zen because vzctl exec executes programs inside the container, the VPS owner can replace said programs and make them output whatever he wants.

KuJoe

@rds100 said: Better use vzps

Is there a working version for CentOS 6?

rds100

@Kujoe i've no idea, i only have CentOS 5 based nodes, but even if it doesn't work it wouldn't be too hard to fix it and make it work i think.

rds100

[root@h2 ~]# vzps axu -E 161

 VEID     USER   PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND

  161        0 10506  0.0  0.0  2164  652 ?        S    Oct17   0:00 init [3]

  161        0 10678  0.0  0.0  2268  556 ?        S<   Oct17   0:00 /sbin/udevd

  161        0 11060  0.0  0.0  1820  560 ?        S    Oct17   0:02 syslogd -m 

  161        0 11082  0.0  0.0  7248 1016 ?        S    Oct17   0:00 /usr/sbin/s

  161        0 11093  0.0  0.0  2840  888 ?        S    Oct17   0:03 xinetd -sta

  161        0 11110  0.0  0.0  9320 1872 ?        S    Oct17   0:00 sendmail: a

  161       51 11118  0.0  0.0  8268 1512 ?        S    Oct17   0:00 sendmail: Q

  161        0 11130  0.0  0.0 10088 3516 ?        S    Oct17   0:00 /usr/sbin/h

  161        0 11146  0.0  0.0  4504 1112 ?        S    Oct17   0:00 crond

  161        0 11154  0.0  0.0  5692  700 ?        S    Oct17   0:00 /usr/sbin/s

  161        0 11156  0.0  0.0  5692  448 ?        S    Oct17   0:00 /usr/sbin/s

  161       48 741556  0.0  0.0 10220 2796 ?       S    01:46   0:00 /usr/sbin/h

  161       48 741557  0.0  0.0 10220 2796 ?       S    01:46   0:00 /usr/sbin/h

  161       48 741558  0.0  0.0 10220 2796 ?       S    01:46   0:00 /usr/sbin/h

  161       48 741559  0.0  0.0 10220 2816 ?       S    01:46   0:00 /usr/sbin/h

  161       48 741560  0.0  0.0 10220 2796 ?       S    01:46   0:00 /usr/sbin/h

  161       48 741561  0.0  0.0 10220 2796 ?       S    01:46   0:00 /usr/sbin/h

  161       48 741562  0.0  0.0 10220 2796 ?       S    01:46   0:00 /usr/sbin/h

  161       48 741563  0.0  0.0 10220 2796 ?       S    01:46   0:00 /usr/sbin/h

KuJoe

@rds100 said: @Kujoe i've no idea, i only have CentOS 5 based nodes, but even if it doesn't work it wouldn't be too hard to fix it and make it work i think.

I don't even know how to start troubleshooting a seg fault.

rds100

@Kujoe maybe newer version of vzprocps? Google says other people had similar problems with segfaults of vzps, and there was a newer version released at some point which supposedly fixes these.

jaakka

KuJoe, a strace output would most definately help.

I however dont have to trouble my mind with those issues.

However abuse is an issue for low end dedicated servers.

I just use barracudas and nDPI for secure traffic classifications. Torrenting/FXP follows a exact timing and bandwidth allocation after a release gets released and pre-databases show it.
Port 25 is rate limited and goes only through my smtp gateway in order to prevent abuse.
Some things i just cache.

So far so good i must say. My IP range is clean.