LS server running out of memory

kpturner

We have a customer with a production LS server that is running out of memory very quickly (see logs below). From what I can see as soon as it starts the number of concurrent connections reported by the monitor starts to climb at an alarming rate. It gets to over 14000 in less than 60 seconds, and continues until it dies.

It points to some sort of DOS attack or one or more clients going to some sort of connection loop.

Is there anything in the logs that can help me understand what is happening, and I assume there is some way (via configuration) that I can prevent the server of accepting rogue (or too many) connections before it dies.

[COLOR=#2A363C][B]JVMDUMP039I Processing dump event "systhrow", detail "java/lang/OutOfMemoryError" at 2015/02/22 13:04:15 - please wait. [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP039I Processing dump event "systhrow", detail "java/lang/OutOfMemoryError" at 2015/02/22 13:04:15 - please wait. [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP032I JVM requested System dump using '/RNS/lightstreamer/bin/ibmi/core.20150222.130415.10060.0001.dmp' in response to an ev [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP010I System dump written to /RNS/lightstreamer/bin/ibmi/core.20150222.130415.10060.0001.dmp [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP032I JVM requested Heap dump using '/RNS/lightstreamer/bin/ibmi/heapdump.20150222.130415.10060.0002.phd' in response to an [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP010I Heap dump written to /RNS/lightstreamer/bin/ibmi/heapdump.20150222.130415.10060.0002.phd [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP032I JVM requested Heap dump using '/RNS/lightstreamer/bin/ibmi/heapdump.20150222.130415.10060.0003.phd' in response to an [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP010I Heap dump written to /RNS/lightstreamer/bin/ibmi/heapdump.20150222.130415.10060.0003.phd [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP032I JVM requested Java dump using '/RNS/lightstreamer/bin/ibmi/javacore.20150222.130415.10060.0004.txt' in response to an [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP010I Java dump written to /RNS/lightstreamer/bin/ibmi/javacore.20150222.130415.10060.0004.txt [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP032I JVM requested Snap dump using '/RNS/lightstreamer/bin/ibmi/Snap.20150222.130415.10060.0006.trc' in response to an even [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP010I Snap dump written to /RNS/lightstreamer/bin/ibmi/Snap.20150222.130415.10060.0006.trc [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP013I Processed dump event "systhrow", detail "java/lang/OutOfMemoryError". [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP032I JVM requested Java dump using '/RNS/lightstreamer/bin/ibmi/javacore.20150222.130415.10060.0005.txt' in response to an [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP010I Java dump written to /RNS/lightstreamer/bin/ibmi/javacore.20150222.130415.10060.0005.txt [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP032I JVM requested Snap dump using '/RNS/lightstreamer/bin/ibmi/Snap.20150222.130415.10060.0007.trc' in response to an even [/B][/COLOR]
[COLOR=#2A363C][B]JVMDUMP010I Snap dump written to /RNS/lightstreamer/bin/ibmi/Snap.20150222.130415.10060.0007.trc[/B][/COLOR]

kpturner

Keeping an eye on it now to see what is happening. The total number of sessions (bearing in mind it is 20:11 on a Sunday) keeps switching between 11 and 12 - so pretty trivial. The number of concurrent connections is floating between 1800 and 2000+ (maximum 3892) so that is not going up at an alarming rate at the moment. I was wondering if this number of connections is normal for so few sessions though? Why is the number of connections so much higher than the number of sessions? I obviously don't know the difference.

There are a lot of warnings 21:06:03 Current delay for tasks scheduled on thread pool TLS/SSL HANDSHAKE is 18 seconds. Timer-1 21:06:03 If the delay issue persists, taking a JVM full thread dump may be the best way to investigate the issue. Timer-1 21:06:05 Current delay for tasks scheduled on thread pool TLS/SSL HANDSHAKE is 19 seconds. Timer-1 21:06:05 If the delay issue persists, taking a JVM full thread dump may be the best way to investigate the issue. Timer-1 21:06:07 Current delay for tasks scheduled on thread pool TLS/SSL HANDSHAKE is 19 seconds. Timer-1 21:06:07 If the delay issue persists, taking a JVM full thread dump may be the best way to investigate the issue. Timer-1 21:06:09 Current delay for tasks scheduled on thread pool TLS/SSL HANDSHAKE is 19 seconds. Timer-1

kpturner

The other thing I notice is that there are a very large number of errors being generated - all like this (coming in by the second):

21:09:31 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:5133. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:31 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:7323. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:31 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:28603. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:31 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:61880. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:31 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:56732. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:32 Handshake error on Lightstreamer HTTPS Server: Broken pipe on 217.118.110.123:39397. NIO TLS/SSL HANDSHAKE SELECTOR 1 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:38992. NIO TLS/SSL HANDSHAKE SELECTOR 2 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:26672. NIO TLS/SSL HANDSHAKE SELECTOR 2 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:32844. NIO TLS/SSL HANDSHAKE SELECTOR 2 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:21056. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:61511. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:59988. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:4500. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:46009. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:14995. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:34612. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:60219. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:50447. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:60299. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:29540. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:61398. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:16881. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:23304. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:18071. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:10471. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:23499. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:52529. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:28532. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:55404. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:16333. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:52733. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:26191. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:11962. NIO TLS/SSL HANDSHAKE SELECTOR 4 21:09:41 Handshake error on Lightstreamer HTTPS Server: task timed out on 217.118.110.123:40724. NIO TLS/SSL HANDSHAKE SELECTOR 4

[/COLOR]

kpturner

The number of connections compared to the number of sessions is concerning me though. At a different customer where the current number of connections and the number of sessions are roughly the same.

kpturner

One additional piece of information: I managed to get the server to a point where there was only 1 session, and that was me using the LS monitor. The server was still reporting over 50 connections. I need to know if this is expected, because on our own LS instances there is almost a 1 to 1 correlation between sessions and connections.

Giuseppe Corti

Hi Kevin,

Generally, the number of connections is greater than or equal to the number of the sessions, in fact, for each session we have a permanent connection dedicated to streaming, and a control connection, temporary, used to send control commands that manage the contents of the stream channel.
In normal situations you should expect a number of connections equal to or slightly higher than the number of sessions. However, in some cases, connections may become much more numerous, for example in phases in which many clients are trying to connect, or if many clients are connected in polling mode.

In particular, in case of a session in polling mode, that is not leveraging the reuse of connections, and frequent updates the number of open connections to the server can significantly grow. However numbers like yours are quite unusual.
50 connections with only a client using the Monitor is something unexpected. In order to investigate further the issue it would be necessary set these logger levels:

[SYNTAX=XML]<logger name="LightstreamerLogger.requests" level="INFO"/>
<logger name="LightstreamerLogger.connections" level="DEBUG"/>[/SYNTAX]

since, with hundreds of connections per second the size of the log file can grow quickly you can keep these settings for a few seconds (up to a minute) and then collect the log.
With these levels we should have some more information on connections and why they can not create a session.

In order to prevent the "out of memory" and also to saturate the handshake threads pool you can use this parameter:
[SYNTAX=XML]

[/SYNTAX]

kpturner

OK thanks. My main problem (other than the cause) is that in order to get more information I need them to start the server again. The last time they started it, their firewall became saturated and prevented other essential network activity from taking place. I need to discuss with them the best approach.

Question: If I artificially set the maximum sessions to 1 (for example) would that explain the fact that the number of connections exceeds the number of sessions? Would the excess connections just be other clients being unable to create a session?

Is there a way to restrict the number of connections (as opposed to sessions)?
Is there a way to restrict the connections to certain IP ranges? This is exposed on the internet, but we may need to restrict it to known clients to get closer to the truth.

Giuseppe Corti

Hi Kevin,

Please note that the log settings doesn't need a restart of the server.

Yes, if you set 1 to max_sessions connection attempts from other clients can lead to the increase of the number of connections.

About to restrict the connections to certain IP ranges, the Lightstreamer server provides this:

http://www.lightstreamer.com/docs/server_jmx_api/com/lightstreamer/jmx/ServerMBean.html#disableIP(java.lang.String)

but please note that this is an option of JMX feature and I'm not sure it suits your needs.

Anyway, please could you confirm the exact version of Lighstreamer server and JavaScript client library in use?

Thank you,
Giuseppe

kpturner

Noted about the log settings. They have the server switched off at the moment anyway because their current understanding is that with it switched on their firewall becomes rapidly overloaded.

So, with maximum sessions set low, a client can make a physical connection to the server but cannot actually do anything? I am just wondering how "maximum sessions" can provide heuristic server protection if it still has to manage all the connections that occur?

If the monitor reports over 14000 connections to me, what does that mean exactly? Does it mean that my client code is somehow creating more and more connections (via the Lighstreamer.js) even though there is already a connection established? I have to consider the fact that I may have a bug in the way I am using the client code.

I think you are right about the IP restrictions. A JMX solution is not what I am after - I guess they will have to do the IP restrictions on their firewall.

This customer is currently on server version 5.1.2 and client version 6.1.4 build 1640.14

They are shortly to go to version 6 in a couple of weeks.

Giuseppe Corti

Hi Kevin,

Please note that a new connection does not always mean new client. Sometimes, especially for no webscoket case, clients already connected may require a new connection (for a rebind, or a polling request or a new subscription).
Thus limiting the number of connections can affect the proper functioning of sessions also already established.

The parameters that protect the server from your critical situation are:
[SYNTAX=XML] <server_pool_max_queue>100</server_pool_max_queue>
<handshake_pool_max_queue>100</handshake_pool_max_queue>[/SYNTAX]
and in your specific case it seems that the second might work.
However, for a typical DoS attack scenario, we expect that the firewall should actually apply the necessary countermeasures.

It seems strange to me that it might be a bug in the client side, since the huge difference between the number of sessions and connections. Also because the browser typically limit by itself the number of connections to the same URL.

Please, if the server log of the Saturday episode is available send us it at support@lightstreamer.com. We will check it in search of clues.

kpturner

I will see if I can get the log from yesterday as it also occurred in a small window while i checked it.

Today the situation is thus:
All access blocked on the firewall except for our staff
Server running with

<handshake_pool_max_queue>100</handshake_pool_max_queue>

also logging has been changed

<loggername = "LightstreamerLogger.requests"level = "INFO"/>
<loggername = "LightstreamerLogger.connections"level = "DEBUG"/>

Currently it all looks completely normal.

kpturner

Update: The number of connections are roughly equivalent to the number of sessions. If I take the server offline for a short period and restart it, the number of connections looks roughly double the number of sessions.....but appear to fall slightly as time goes on.

No scientific proof - but a speculative observation: The longer I leave the server offline the more connections I get for the same number of sessions. Also the more time I take the server offline, the more connections I get:

On startup: 32 sessions and 32 connections
Stop and restart: 32 sessions and approx 50 connections (falling to about 40)
Stop and restart: 32 sessions and approx 90 connections (falling to about 60)
and so on

So if I have 1000 sessions, and the server goes offline for a long period of time and then gets restarted, I think I am going to see some big numbers in the connections statistics compared to the sessions.

I think this only happens with clients that had a good connection, then lost it. They go into an endless connection/fail/retry cycle - and when the server comes on they seem to have more connections than they need.

This may be completely normal and expected of course.

kpturner

I have provided the logs from Saturday and Sunday to support@lightstreamer.comusing https://www.wetransfer.com/#

Giuseppe Corti

Hi Kevin,

I confirm we have received the logs, thank you. Now , we will check them.

kpturner

Update:

Some users have now been given access through the firewall.

They currently have 152 sessions and 411 connections (maximum 751). Some errors and warnings in the logs too. We will continue to collect the log information for the time being.

kpturner

While the server is offline, I observe more and more iframe elements being created in my browsers DOM. See screenshot below, Is this normal?

Mone

Hi Kevin,

That's a known bug that was fixed in the latest version.
The bug affects the 6.1.4 and 6.2.2 versions.

The bug is triggered by the client being unable to reach the server
http://www.lightstreamer.com/distros/Lightstreamer_Allegro-Presto-Vivace_6_0_20150213/Lightstreamer/CHANGELOG.HTML#web_client

We considered the bug while investigating the issue, but it does not seem likely it to be related to your issue, as the browser would not permit so many open sockets to the server in the first place (the number of open sockets is way too high with respect of the active sessions).

Anyhow, you can monitor the impact of the issue on the server by monitoring the log for lines like the following:

xxxxxxxx |INFO |LightstreamerLogger.webServer |SERVER POOLED THREAD 2 |Serving request: /lightstreamer/xhr.html?id=3&domain=lightstreamer.com& on "Lightstreamer HTTP Server" from xxxxxxx

My colleagues will get back to you about the issue in general ASAP

kpturner

While the server is offline, I observe more and more iframe elements being created in my browsers DOM. See screenshot below, Is this normal?

kpturner

OK thanks for the update.

I will get today's log to you as soon as I can. While it was running, the load was apparently normal on the firewall so that is both good news and bad news (from a diagnosis point of view). However, the users complained that the application was performing poorly while it was running. I don't know if this is a coincidence or not - but I do know that the LS server was using a fairly high level of CPU while it was active (about 16%).

Is there any way to throttle the CPU used? I already have <selector_pool_size>1</selector_pool_size>

Giuseppe Corti

Hi Kevin,

From the logs we noticed that the issue starts after 2 restarts of the server executed at 23:27 and 23:35 on 21 February.
Before these events, all day long, the server seems to run regularly, and the relationship between connections and sessions remains within acceptable limits.

Soon after the restarts, indeed, the connections count begins to be very high compared to the number of sessions, but only about 10 minutes after the second restart that this bursts exceeding 1000 and continuing to grow.
Also the logs starts to show exceptions like this:

	21-Feb-15 23:58:59,316|ERROR|LightstreamerLogger.connections  | Lightstreamer HTTPS Server|Accept error on socket Lightstreamer HTTPS Server:
		java.net.SocketException: Invalid argument
		...

that are really strange and suggest a heavy problem with the network.

Could you confirm that the restarts of the server was something planned or have been performed as a result of a problem?
The first resart takes a very long time, in the meantime have been carried out some updates or changes to the systems or network?