You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Priya balaji <pr...@rediffmail.com> on 2002/11/19 13:44:02 UTC
[users@httpd] Protection from slapper worm DDos attack
Hi,
I am running the latest versions of Apache, modssl and openssl on
a Solaris machine. My machine is getting a lot of connections from
hosts running older versions of Apache and Openssl. My web server
reaches max limit and stops serving pages. Requires a restart.
All the symptoms look like the activity of the slapper worm. I
have obtained a lot of information about this worm, but there is
no information about protecting the machine from the DDOS attacks
from other infected hosts.
It will be very helpful if somebody can provide information on the
following.
1. Are the machines running the updated versions vulnerable to
these attacks or have i done something wrong in setting things
up?
2. Will blocking the ports from where the infected machines
communicate help in my case?
Thanks in advance.
Priya
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Traffic Control over VirtualHosts
Posted by pi...@goldfisch.at.
There are several tools to accomplish your demand:
maybe the best is a weblog-analyzer like webalize that can deal with
VirtualHosts and print the total sum of sent data also.
of course you can also use a tool like ntop that measures all the
traffic and can generate statistics by host/protocol/port.
Then there is mrtg and its big brother (dont know the name) that can
display almost everything if you have the right sensor.
hope this helps,
peter
On Tue, Nov 19, 2002 at 10:50:02AM -0200, Felipe Moreno - MAILING LISTS wrote:
> Hi list members,
>
> I have an Apache webserver 2.0 installed on a Linux 7.0 OS running
> together with Tomcat 4.0. I use several virtual hosts and I want to know if
> is there an way to measure all the traffic that each virtual host consume.
> The problem is that I only know all the income and outcoming traffic from my
> machine but I really need to measure the traffic from each virtual host.
> Usually each VH uses FTP connection, HTTPD connection, POP/SMTP connections
> and MYSQL connections. Anyone know an way to archive this?
>
> Thanks for any answer!
>
> Regards,
>
> Felipe Moreno
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
mag. peter pilsl
IT-Consulting
tel: +43-699-1-3574035
fax: +43-699-4-3574035
pilsl@goldfisch.at
http://www.goldfisch.at
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Traffic Control over VirtualHosts
Posted by Simon Dassow <ja...@area319.de>.
I dont believe you've running linux 7... current stable is 2.4.19...
anyways... you want something like iptables with these two rules:
iptables -A INPUT -j ACCEPT
iptables -A OUPUT -j ACCEPT
If you're now doing 'iptables -vnL' you can see the generated traffic...
really ugly, i know.
Maybe you want mrtg instead... there're a lot of tool to accomplish
that.
regards,
simon
On Tue, 2002-11-19 at 13:50, Felipe Moreno - MAILING LISTS wrote:
> Hi list members,
>
> I have an Apache webserver 2.0 installed on a Linux 7.0 OS running
> together with Tomcat 4.0. I use several virtual hosts and I want to know if
> is there an way to measure all the traffic that each virtual host consume.
> The problem is that I only know all the income and outcoming traffic from my
> machine but I really need to measure the traffic from each virtual host.
> Usually each VH uses FTP connection, HTTPD connection, POP/SMTP connections
> and MYSQL connections. Anyone know an way to archive this?
>
> Thanks for any answer!
>
> Regards,
>
> Felipe Moreno
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
[users@httpd] Traffic Control over VirtualHosts
Posted by Felipe Moreno - MAILING LISTS <ml...@realweb.com.br>.
Hi list members,
I have an Apache webserver 2.0 installed on a Linux 7.0 OS running
together with Tomcat 4.0. I use several virtual hosts and I want to know if
is there an way to measure all the traffic that each virtual host consume.
The problem is that I only know all the income and outcoming traffic from my
machine but I really need to measure the traffic from each virtual host.
Usually each VH uses FTP connection, HTTPD connection, POP/SMTP connections
and MYSQL connections. Anyone know an way to archive this?
Thanks for any answer!
Regards,
Felipe Moreno
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Protection from slapper worm DDos attack
Posted by "Douglas K. Fischer" <fi...@purefm.net>.
At 07:44 AM 11/19/2002, Priya balaji wrote:
>Hi,
>
>I am running the latest versions of Apache, modssl and openssl on a
>Solaris machine. My machine is getting a lot of connections from hosts
>running older versions of Apache and Openssl. My web server reaches max
>limit and stops serving pages. Requires a restart.
When you say 'reaches max limit' do you mean it exceeds the maximum number
of simultaneous requests as configured in Apache, or something else?
>All the symptoms look like the activity of the slapper worm. I have
>obtained a lot of information about this worm, but there is no information
>about protecting the machine from the DDOS attacks from other infected hosts.
>
>It will be very helpful if somebody can provide information on the following.
>
>1. Are the machines running the updated versions vulnerable to these
>attacks or have i done something wrong in setting things up?
Updated machines are not vulnerable to the exploit attempts; however, you
can expect to see traffic from infected hosts attempting the exploits
against your system. I see this traffic on an almost daily basis on my web
servers.
>2. Will blocking the ports from where the infected machines communicate
>help in my case?
I'm assuming you mean the UDP ports the worm uses for the infected machines
to communicate with each other. No, blocking them won't help you because
that's not the traffic you're getting - you are getting port 80 and port
443 traffic where these infected hosts are connecting to Apache. If you
have a large number of IP addresses tied to the box, the problem is greatly
magnified. Depending upon how many IP addresses your server is hosting and
how frequently you're seeing traffic from infected hosts, you might be able
to simply increase the number of simultaneous connections allowed in Apache.
The solution I came up with was to write a log monitor that checked for
"request without hostname" errors in the error_log. These errors are
generated by the probe an infected machine makes to try and determine the
version of Apache you are running. When the log monitor detects these, it
creates IPtables firewall rules to block 80/443 traffic from the violating
IP address for a few minutes. This keeps my systems from getting bogged
down with the additional connections made by the infected host.
Doug
------------------------------------------------------------
This email, and any included attachments, have been checked
by Norton AntiVirus Corporate Edition (Version 7.6), AVG
Server Edition 6.0, and Merak Email Server Integrated
Antivirus (Alwil Software's aVast! engine) and is certified
Virus Free.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org