TS-Server 3.0.0-RC1 Build 14468 Linux x64 - hangs up sometimes

[l0bster]

Good day to you!

I'm running a TS-Server 3.0.0-RC1 Build 14468 Linux x64 on an Linux 2.6.9-023stab053.2-smp #1 SMP x86_64 GNU/Linux

# cat /etc/*ease*
openSUSE 10.3 (X86-64)
VERSION = 10.3

I ran all previous versions without any problems but since 3.0.0-RC1 Build 14468 my ts server hangs serveral times a week. When this happens, the servers tcp and udp queue is getting flooded and nothing's reacting anymore. i alrdy thought it might be a ddos attack so i configured a tcpfilter firewall ... no improvement ...

All i can see when this happens is that many many new threads are spawning from the ts3 process. Nothing suspicious is logged in any logfile, wether the syslog nor the ts3 server log.

Is there any way to debug what happens when this phenomenon occures?

If you need any further information, feel free to ask ;D

Best regards!

[Peter]

New threads can mean new virtual servers or possibly file transfers. Virtual Servers you can view through the serverlist command of serverquery, and filetransfers through the ftlist command.

[l0bster]

hi, thanks for your reply!

i'm relatively sure that there are no new vservers created since no one except me should have the privileges to do so.

I'll give the filetransfer theory a try... disabling all file transfers should help temporarily, i will wait and see if the server hangs again in the next few days.

THX and beste regards!

[l0bster]

Hi again,

i'm sorry but the server still hangs from time to time, even with filetransfer option disabled.

The ts3 server hung again just several minutes ago. The process was running with a normal thread count but again i saw that my UDP Buffer got flooded again!
(current use, soft limit, hard limit)
dgramrcvbuf 287,564; 262,144; 288,358 Bytes Total size of receive buffers of UDP and other datagram protocols

Is it possible to get deeper into error analysis? I think the server is getting crashed irregularily by bad udp datagrams or something like that und stops computing the incoming packages but is still running and alive so the socket won't close and is blowing the whole system.

would be nice to hear from you

best regards

edit:

when i try to gracefully shut down the ts server these events are getting loged:

2011-06-30 15:33:58.889291|ERROR |VirtualSvrMgr | | stopserver for sid: 1 still waiting for shutdown
2011-06-30 15:34:08.897204|ERROR |VirtualSvrMgr | | stopserver for sid: 1 still waiting for shutdown

seems he has a special problem with one vserver?!
there is also another vserver running with sid=7... seems like he is able to shut this vserver down gracefully. Maybe this helps

[Tomas]

I would use firewall rules for assistance.

What/Who exactly does use your ts3server? just ts3client or some teamViewer, customMade scripts?
perhaps some client have terrible connectivity.

My suggestion is to isolate the source of your problem or perhaps see in firewall rules stats what portion of IP range is actually 'flooding'. (hopefully its not attack I think it might be, cuz it would explain the whole situation... DEV's?)

Code:

iptables -N testRanges
iptables -A testRanges -s 10.0.0.0/8 -j RETURN
iptables -A testRanges -s 172.16.0.0/12 -j RETURN
iptables -A testRanges -s 192.168.0.0/16 -j RETURN
iptables -A testRanges -s 169.254.0.0/16 -j RETURN
iptables -A testRanges -s 0.0.0.0/3 -j RETURN
iptables -A testRanges -s 32.0.0.0/3 -j RETURN
iptables -A testRanges -s 64.0.0.0/3 -j RETURN
iptables -A testRanges -s 96.0.0.0/3 -j RETURN
iptables -A testRanges -s 128.0.0.0/3 -j RETURN
iptables -A testRanges -s 160.0.0.0/3 -j RETURN
iptables -A testRanges -s 192.0.0.0/3 -j RETURN
iptables -A testRanges -s 224.0.0.0/3 -j RETURN

then add this chain before the accepting rule for your teamspeak3 in your firewall.
example: iptables -I INPUT -p udp --dport 9987 -j testRanges #if that is not good enough, tell me.

to view amounts of packets and data that matched the rule(the range of IPs in the rule) use my normal way of looking into firewall:

Code:

iptables -nvL testRanges

or to have it filed in separate console:

Code:

while true; do iptables -nvL testRanges >> testRanges_`date +%F_%H%M`; sleep 120; done

to stop saving to file each 2min, hit CTRL+C.


I am did not look into rrdtool, to make even graphs from it on the fly, sry.

I am not suggesting you to then ban the source of the problem, which might help you, but not someone else using this SW, with same problems.
But later on, we could, select just that single source and log every traffic from it. send it to devs or study it, etc....

(We)You can then fine tune the source location.
I will post that part, if (we)you can isolate the source of the issue.
#subscribed few days ago

[l0bster]

Hi Tomas,

thanks for your advice and code snipets. I will install a Firewall and monitor the suggested ports. When I've got usable data i will post them in this Thread.

Best regards!

edit: i got iptables up and running, output looks like:

Fri Jul 1 23:31:18 CEST 2011
Chain testRanges (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 ACCEPT all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/3 0.0.0.0/0
0 0 ACCEPT all -- * * 32.0.0.0/3 0.0.0.0/0
1471 79674 ACCEPT all -- * * 64.0.0.0/3 0.0.0.0/0
0 0 ACCEPT all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 ACCEPT all -- * * 128.0.0.0/3 0.0.0.0/0
0 0 ACCEPT all -- * * 160.0.0.0/3 0.0.0.0/0
0 0 ACCEPT all -- * * 192.0.0.0/3 0.0.0.0/0
0 0 ACCEPT all -- * * 224.0.0.0/3 0.0.0.0/0

now i have to wait for "the happening"

Thanks for your help. i will post further details if i have some...

[l0bster]

Hi Guys,

i just wanted to give you a quick feedback. The server is now up and running for 7days / 12hours with just one crash since the iptables implementation 13 days ago. Here is a quick listing from the iptables statistics...

Wed Jul 13 09:11:24 CEST 2011
Chain testRanges (7 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 ACCEPT all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/3 0.0.0.0/0
4052K 366M ACCEPT all -- * * 32.0.0.0/3 0.0.0.0/0
34M 4406M ACCEPT all -- * * 64.0.0.0/3 0.0.0.0/0
37012 2038K ACCEPT all -- * * 96.0.0.0/3 0.0.0.0/0
29790 1476K ACCEPT all -- * * 128.0.0.0/3 0.0.0.0/0
1601K 169M ACCEPT all -- * * 160.0.0.0/3 0.0.0.0/0
1968K 227M ACCEPT all -- * * 192.0.0.0/3 0.0.0.0/0
0 0 ACCEPT all -- * * 224.0.0.0/3 0.0.0.0/0

Since the last crash i couldn't identifiy any heavy load against any ts3 udp/tcp port. I don't believe it's a ddos attack or someone flooding this tiny server with bogus packets or something like that.

My next step is to recreate the internal database by setting up a complete new server. Maybe this will help.

Regards...

[Tomas]

maybe these events happens due of other firewall rules you have or some clients have set.
I do not think that it is because of some routing changes.....

In other words this is in this(no access to check) way hard to debug.

As for the stats, looks like there is nothing suggesting DDoS.
I might try test the attack I was thinking if it is possible

[l0bster]

Hi Again folks,

i reinstalled the ts server a couple of days ago and everything worked fine. (complete new dl, new directorys, new database etc.)
When i came home a few minutes ago it happened again... process was still running but not processing any data so i had to kill the process the hard way (kill -9)...

i compared the fw stats from a few minutes before the crash and after the crash ... nothing suspicious ... i'm relatively sure it's not a ddos attack :P

I have no idea what to do ... is there any way to start the server in a more verbose way... even a little hint would help.

Best regards!

[pkegles]

Here is the error im getting at the log: ERROR | | | TS3ANetwork: end failed error: 1


Thanks in advance for any help