INFO: Process audiodg.exe Consumes High Memory

A recent not-so-good experience led me to write about it.. Have you ever been in the "flow" and so absorbed in your work that when you get interrupted, you find it very difficult to get back to where you were at? I recently had that, and the disruption came from a technology failure, not a human interaction. I will get to the details next.

I was working on a large dataset in my notebook and all of a sudden I got an OOM notification (out of memory). The prompt was similar to "Your computer is running low on memory".. I could not get a screenshot of the error as I could not do anything more after that and was forced to press the power button long enough to restart.

After reboot, I tried to replicate what I was doing previously and launched the Task Manager to see if it has clues to the issue. What I saw almost pushed me off my chair. The executable audiodg.exe consumed 1.3GB of memory!

Although I have 16GB of memory to play with, I knew something is not right. Now that I was able to take a screenshot to share, you will find it below. It shows a third of system memory already consumed.

AUDIODG.EXE 1.2GB Memory

The executable audiodg.exe is an integral part of the Windows 7 Operating System. It is the "Windows Audio Device Graph Isolation" and if you terminate the process you lose audio output on your notebook, as in my experience.

Given my encounter with low memory and eventual unresponsive system, I would not want to experience that same scenario again and need to resolve it as much as I can. So I tried several suggestions from the web -- check for virus, check the digital signature of the file, etc.. And soon enough a solution was found.

It is worth noting that even on a fresh reboot, the process audiodg.exe still consumes about the same amount of memory. So memory leaking was scratched out as a possible suspect.

The culprit was installing an updated driver to the audio card of my notebook. After rollback to the previous driver, the problem went away. So I have this advise to folks out there who follow my posts: If you have a software running on your system that watches out for outdated drivers and you get notified each time a version is available, throw it away. Uninstall it, as it is useless. Just replace the driver if it causes you problems, otherwise things run fine and there is no need to update.

RELATED: Confirm Free Memory Slots on your Server (Linux)

This would sound like a cliche, but "if it ain't broken, don't fix it!" Trust me, there is truth to this advise. With that, let me leave you this question: How much memory does audiodg.exe consume on your computer?

TIP: Protect Your Router Against IP Spoofing

I was reading through some of the best practice configuration of Mikrotik routers, and routers in general. I found a very helpful tip about helping keep the internet secure for others. And this is related to the topic stated in the title -- IP Spoofing. In order to gain more information regarding this terminology, here's a resource that defined it clearly. Also quoted the same definition below.
IP Spoofing is a technique used to gain unauthorized access to machines, whereby an attacker illicitly impersonate another machine by manipulating IP packets. IP Spoofing involves modifying the packet header with a forged (spoofed) source IP address, a checksum, and the order value.

As a responsible infrastructure administrator, I am obliged to contribute to the security of others. And with that, likewise share the same information on how to do it as well for others benefit. If you own a Mikrotik router, follow the procedure below.

RP Filter. The "RP Filter" is used for packet source validation. As defined in RFC3704 Abstract, it is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network.

To be better informed about this change, here's a link to the Mikrotik Wiki.

So how is this done in the Mikrotik?

To those who want to do it via command line interface (CLI), execute this using a privileged account:
/ip settings
set rp-filter=strict

Those who would rather use WinBox utility, IP » Settings. Set "RP Filter" to "strict".

Winbox IP Settings

In the screenshot above, "TCP SynCookies" is ticked. This is a further router protection from DDoS via SYN floods. For the CLI equivalent to that, the CLI command above should be changed to:
/ip settings
set rp-filter=strict tcp-syncookies=yes

RELATED: Mikrotik Articles in This Series

The above changes did not increase the resource consumption on my router. Monitor your router for changes to utilization of resources to see if the change does introduce significant load.

TIP: Rename Ubuntu16 Interfaces Back to ethX

If you have been working on Linux for a while, you will probably be very used to interface names that are ethX (eth something). In Ubuntu16 LTS, this is no longer the case. There is a long debate about this issue as it seems, and eventually this is the result. This post does not intend to spark another debate, nor feed the flames. The intention is that if you want to revert back to the "legacy" behavior you can, of course. And here's how.

Before that, in order to have a better picture of what and why, this change was introduced in systemd V197 and the explanation is discussed in lengthy detail. Visit the link to be better informed regarding the change and why it was put forward.

As put forth:
Starting with v197 systemd/udev will automatically assign predictable, stable network interface names for all local Ethernet, WLAN and WWAN interfaces. This is a departure from the traditional interface naming scheme ("eth0", "eth1", "wlan0", ...), but should fix real problems.

The manifestation of this in a new install of Ubuntu16 LTS virtual machine is an interface named "ens192".

Ubuntu New Interface Naming

To put it back to the original naming convention, edit the file /etc/default/grub. Look for the line:
GRUB_CMDLINE_LINUX=""
 ... change it to:
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"

Then execute, "update-grub" on a terminal. Next, edit the file /etc/network/interfaces and change all instances of ens192 (this the interface assigned to my virtual machine and may not be the same as yours).

WARNING! Do not reboot yet if you have no access to the console. You may permanently lose network connectivity as a result of this change! To make the change(s) take effect, reboot.

Executing the above steps, gave me back the network interface "eth0".

Ubuntu Legacy Interface Naming

Following best practice, I created a backup of the file /etc/default/grub prior to making the change. This is a screenshot of the diff between the current file and the file prior to the change.

Diff of Grub After Modification

RELATED: P2V (Physical to Virtual) Prep Work for Ubuntu

I have not executed this on a virtual machine with multiple interfaces. My suggestion on how to execute this procedure on a host with multiple interfaces is to go about the change one interface at a time. So far, this suggestion has worked for a friend whom I gave this advise to.

TIP: Test for "EternalBlue" Vulnerability Yourself

If you still haven't heard, there is a massive "ransomware" attack that is out there and organizations are starting to react to its effects. While you and I might not be the actual targets of this malware, you and I could still end up in its wake.. and worse, lose valuable data in the process.

The malware is well-known for "WannaCry", among other names. And what it does is encrypt your files asking for ransom in order to decrypt them (which is why it is called "ransomware"). You and I will then have a limited number of days to pay, or else the encrypted files are deleted.

This malware spreads itself across the network using a zero-day vulnerability which experts coined "EternalBlue". While Microsoft came out with the patch to address this vulnerability in its Windows Operating system, there are still a lot out there who are using both new and legacy unpatched systems, or are simply not aware of this existing threat.

If you have not done so, the link to the Windows patches is: Microsoft Security Bulletin 17-010 (Critical). In the essence of being informed, what WannaCry malware does is better explained in this youtube video: https://www.youtube.com/watch?v=88jkB1V6N9w.

Now if you have actually installed the updates and want to be sure, developers from a company Let's Get Digital came up with a tool to help you check systems. Download the software by clicking this link.

I tested it out on my computer. The result is in the screenshot below.

WANNACRY CHECK

It seems the patches in place are keeping me safe (for now at least).

RELATED: Install Adblock on Raspberry Pi via Pi-Hole

Go ahead and install the patch immediately, if you haven't done so. As the saying goes, an ounce of prevention is better than... But you already know that right?

HOW-TO: Mangle (or QoS) in a Mikrotik Router

First of all, let me tell you that I'm in no way a Mikrotik expert. My expertise is system administration, more into servers and storage. My specialization in the later years of infrastructure work focused primarily on VMware virtualization. I just understand a few concepts of networking that allow me to be comfortable around the equipment and possibly playing with it. There are occassions where necessity calls for that ease around hardware and these are one of those.

Previous articles have discussed the configuration on a Mikrotik Router as I have experienced it -- the initial configuration and succeeding LAN provisions, like DHCP and DNS. I have had this configuration working for me and had tested it to work.

The concept of QoS in this article is "Q-on-Q" in the Mikrotik linggo. There are a lot of ways to configure this and mine is not the only way. I have not tested the other configurations out there. This is the first one I have tested as this seems to be the easiest to implement and test (at least in my point of view).

There are two (2) components to this -- a queue tree and sets of mangle rules.

Queue Tree. The best analogy I could come up with for the concept of queue trees is the highway. Have a separate lane for faster and higher priority vehicles and leave the rest for vehicles that require roads to get through. The difference is QoS only kicks in when congestion happens. And in order for the configuration to kick in, at about 90% bandwidth utilization, I create an artificial congestion for this configuration to start to take control in anticipation of the real world actual congestion.

I was given an internet bandwidth of 20MBps up and 20MBps down to play with. Following the concept above, I created two (2) queues -- one queue for critical traffic with a CIR of 3MBps and another for best effort queue with a CIR of 15MBps. In effect, the artificial congestion at 90% utilization of 18MBps aggregated at the parent queue. QoS settings take over when bandwidth utilization for those queues are saturated as well as on their parent queues. The committed information rate or CIR (limit-at value) for that specific queue assures it that bandwidth, if required. Bandwidth for a particular queue that is unused can be "borrowed" by other queues.

I mirrored the same configs for both upload queues and download queues since my bandwidth is symmetrical. The queue tree configuration follows below.
/queue tree
add comment="----- uploads -----" max-limit=25M name=UPLDQ parent=global \
 priority=1 queue=ethernet-default
add comment="----- low priority -----" limit-at=15M max-limit=25M name=\
 UPLD_BEFF parent=UPLDQ priority=5 queue=ethernet-default
add comment="---- high priority -----" limit-at=3M max-limit=25M name=\
 UPLD_CRIT parent=UPLDQ priority=1 queue=ethernet-default
add name=upld_pr1_crit packet-mark=upld_pr1_crit parent=UPLD_CRIT \
 priority=1 queue=ethernet-default
add name=upld_pr2_crit packet-mark=upld_pr2_crit parent=UPLD_CRIT \
 priority=2 queue=ethernet-default
add name=upld_pr7_crit packet-mark=upld_pr7_crit parent=UPLD_CRIT \
 priority=7 queue=ethernet-default
add name=upld_pr1_beff packet-mark=upld_pr1_beff parent=UPLD_BEFF \
 priority=1 queue=ethernet-default
add name=upld_pr2_beff packet-mark=upld_pr2_beff parent=UPLD_BEFF \
 priority=2 queue=ethernet-default
add name=upld_pr4_beff packet-mark=upld_pr4_beff parent=UPLD_BEFF \
 priority=4 queue=ethernet-default
add name=upld_pr6_beff packet-mark=upld_pr6_beff parent=UPLD_BEFF \
 priority=6 queue=ethernet-default
add name=upld_pr7_beff packet-mark=upld_pr7_beff parent=UPLD_BEFF \
 priority=7 queue=ethernet-default
add name=upld_pr8_beff packet-mark=upld_pr8_beff parent=UPLD_BEFF \
 queue=ethernet-default
add max-limit=6M name=upl_pr8_ratelimited packet-mark=upld_pr8_lmtd \
 parent=UPLD_BEFF queue=ethernet-default
add comment="----- downloads -----" max-limit=25M name=DNLDQ \
 parent=global priority=1 queue=ethernet-default
add comment="----- low priority ----" limit-at=15M max-limit=25M \
 name=DNLD_BEFF parent=DNLDQ priority=5 queue=ethernet-default
add comment="---- high priority ----" limit-at=3M max-limit=25M \
 name=DNLD_CRIT parent=DNLDQ priority=1 queue=ethernet-default
add name=dnld_pr1_crit packet-mark=dnld_pr1_crit parent=DNLD_CRIT 
 priority=1 queue=ethernet-default
add name=dnld_pr2_crit packet-mark=dnld_pr2_crit parent=DNLD_CRIT \
 priority=2 queue=ethernet-default
add name=dnld_pr7_crit packet-mark=dnld_pr7_crit parent=DNLD_CRIT \
 priority=7 queue=ethernet-default
add name=dnld_pr1_beff packet-mark=dnld_pr1_beff parent=DNLD_BEFF \
 priority=1 queue=ethernet-default
add name=dnld_pr2_beff packet-mark=dnld_pr2_beff parent=DNLD_BEFF \
 priority=2 queue=ethernet-default
add name=dnld_pr4_beff packet-mark=dnld_pr4_beff parent=DNLD_BEFF \
 priority=4 queue=ethernet-default
add name=dnld_pr6_beff packet-mark=dnld_pr6_beff parent=DNLD_BEFF \
 priority=6 queue=ethernet-default
add name=dnld_pr7_beff packet-mark=dnld_pr7_beff parent=DNLD_BEFF \
 priority=7 queue=ethernet-default
add name=dnld_pr8_beff packet-mark=dnld_pr8_beff parent=DNLD_BEFF \
 queue=ethernet-default
add max-limit=6M name=dnld_pr8_lmtd packet-mark=dnld_pr8_lmtd \
 parent=DNLD_BEFF queue=ethernet-default

As seen from above, I adopted a naming convention for the queues (and their corresponding packet-marks). Packet-marks take the name of the queue names; whereas queue names have a specific naming concatenated from their function (dnld for download; upld for upload), priority (pr1 for priority 1 and so on..) and parent queue (beff for best effort; crit for critical or high priority queue). It helps me identify the queue assignment when classifying packets based on the kind of traffic they belong to).

Mangle Rules. Now that the queues are made, let's classify traffic by marking the packets. These packet marks or tags identify them as to which particular queue they would go to. Do you see now how these two components go hand in hand?

Note that these packet marks are only applicable within the Mikrotik router. The order of the rules are based on traffic volume. This gives me efficiency as the rules are evaluated from top to bottom. When the top rules are hit first, rules further down need no execution. The procedure below moves everything to Priority 4, and other packets are reclassified to lower or higher priority from that baseline. By default all packets have Priority 8. Below are the mangle rules I use.
/ip firewall mangle
add action=mark-connection chain=prerouting comment=">>>>> INTRANET TRAFFIC" \
 disabled=yes new-connection-mark=no-mark
add action=jump chain=forward dst-address=10.0.0.0/8 jump-target=local-net \
 src-address=10.0.0.0/8
add action=mark-connection chain=local-net new-connection-mark=local-net \
 passthrough=yes
add action=fasttrack-connection chain=local-net connection-mark=local-net
add action=accept chain=local-net connection-mark=local-net
add action=return chain=local-net
add action=accept chain=prerouting comment=">>>>> SEPARATOR (DO NOT ENABLE)" \
 disabled=yes
add action=mark-packet chain=prerouting in-interface=all-ethernet \
 new-packet-mark=dnld_pr4_beff
add action=mark-packet chain=postrouting new-packet-mark=upld_pr4_beff \
 out-interface=all-ethernet
add action=accept chain=prerouting comment=">>>>> SEPARATOR (DO NOT ENABLE)" \
 disabled=yes
add action=jump chain=prerouting comment="NEW CONNECTIONS" connection-state=\
 new in-interface=all-ethernet jump-target=crit-dnld-pr1
add action=jump chain=postrouting connection-state=new jump-target=\
 crit-upld-pr1 out-interface=all-ethernet
add action=jump chain=prerouting jump-target=crit-dnld-pr1 port=53 protocol=udp
add action=jump chain=prerouting comment="BIG BYTES (IN)" connection-bytes=\
 2500000-0 connection-rate=2500-1G in-interface=ether1 jump-target=\
 beff-bulk-download protocol=tcp
add action=mark-packet chain=beff-bulk-download new-packet-mark=\
 dnld_pr8_beff passthrough=no
add action=return chain=beff-bulk-download
add action=jump chain=postrouting comment="BIG BYTES (OUT)" connection-bytes=\
     2500000-0 connection-rate=2500-1G jump-target=beff-bulk-upload \
 out-interface=ether1 protocol=tcp
add action=mark-packet chain=beff-bulk-upload new-packet-mark=\
 upld_pr8_beff passthrough=no
add action=return chain=beff-bulk-upload
add action=jump chain=prerouting comment="WEB TRAFFIC - INBOUND" \
 in-interface=ether1 jump-target=beff-http-down port=80,443 protocol=tcp
add action=jump chain=prerouting in-interface=ether1 jump-target=\
 beff-http-down port=80,443 protocol=udp
add action=jump chain=beff-http-down connection-bytes=2500000-0 \
 jump-target=beff-bulk-download protocol=tcp
add action=mark-packet chain=beff-http-down new-packet-mark=\
 dnld_pr6_beff passthrough=no
add action=return chain=beff-http-down
add action=jump chain=prerouting comment="SYN PACKETS" in-interface=ether1 \
 jump-target=crit-dnld-pr2 protocol=tcp tcp-flags=syn
add action=jump chain=postrouting jump-target=crit-upld-pr2 out-interface=\
 ether1 protocol=tcp tcp-flags=syn
add action=jump chain=forward comment="PR1 - RTP conn/packet" \
 jump-target=crit-dnld-pr1 port=10000-20000 protocol=udp
add action=jump chain=forward comment="PR1 -- FACETIME" jump-target=\
 crit-dnld-pr2 port=5223,4080,3478 protocol=tcp
add action=mark-connection chain=forward comment="DSCP 46 (VoIP)" \
 connection-mark=no-mark dscp=46 new-connection-mark=VoIP-conn \
 passthrough=yes
add action=jump chain=prerouting comment="PR2 -- SIP (VoIP)" jump-target=\
 crit-dnld-pr1 port=5060-5061 protocol=tcp
add action=jump chain=prerouting jump-target=crit-dnld-pr1 port=5060-5061 \
 protocol=udp
add action=jump chain=forward comment="PR8 -- P2P conn/packet" jump-target=\
 beff-p2p p2p=all-p2p src-address=10.0.0.0/8
add action=mark-packet chain=beff-p2p new-packet-mark=dnld_pr8_lmtd \
 passthrough=no
add action=return chain=beff-p2p
add action=accept chain=prerouting comment=">>>>> SEPARATOR (DO NOT ENABLE)" \
 disabled=yes
add action=mark-packet chain=crit-dnld-pr1 new-packet-mark=dnld_pr1_crit \
 passthrough=no
add action=return chain=crit-dnld-pr1
add action=mark-packet chain=crit-dnld-pr2 new-packet-mark=dnld_pr2_crit \
 passthrough=no
add action=return chain=crit-dnld-pr2
add action=mark-packet chain=crit-upld-pr1 new-packet-mark=upld_pr1_crit \
 passthrough=no
add action=return chain=crit-upld-pr1
add action=mark-packet chain=crit-upld-pr2 new-packet-mark=upld_pr2_crit \
 passthrough=no
add action=return chain=crit-upld-pr2

With the configuration above, packets are re-classified according to traffic type. Even if someone is browsing the web and somebody else is uploading files through popular cloud storage like Dropbox or Google Drive, VoIP calls are still as clear as they need to be. My internal customers are satisfied with the speed of their internet and cloud experience.

RELATED: LAN Configuration of a Mikrotik Virtual Router

If you find something amiss in my configuration or if you found a way to improve it, I would appreciate some feedback. Hope this helps.