[BlueOnyx:16588] Re: CPU is heavily used on a 5106R

[George F. Nemeyer]

On Fri, 28 Nov 2014, Jimmy Gross wrote:

> I looked in processes and see several instances of:
>
> | \_ /bin/sh /usr/local/sbin/bfd -s      14%
>

Using some Google-fu, I see BFD is a brute force detection package that
works with APF (Advanced Policy Firewall).  Neither of these are part of
the core BX install, as evidenced by the fact the program is showing up in
/usr/local/, so it was installed as a third party package.

According to what I've seen, BFD *MUST* have APF installed and running, so
if APF isn't there, BFD might be in some loop trying to communicate with
APF.  Check to see if APF hasn't died and is running.

Oddly, while finding no BFD repository packages with yum, I did find a
bunch of non-English language stuff in /usr/share/locale files on my 5106R
box, so it's possible BFD was there at one time, but got removed or
replaced during some update.  If you did any updates recently, perhaps it
didn't get fully or correctly removed.

If indeed this is BFD/APF related, it's also possible you could have:
   1.  Some REALLY big logs for it to chew through
   2.  An attack is happening, or has happened recently.
   3.  BFD has hit some log errors/messages/format it can't
       really cope with.

Since BFD is just a log parser/scanner that feeds APF, you should be able
to kill it with no impact while you try to figure out what it's unhappy
about.  That would at least tell you if it's the source of the high load.