You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Pavel Pragin <pp...@SolutionSet.com> on 2008/04/24 18:19:18 UTC
need help with "connectionTimeout" and "connection_pool_timeout"
Hello,
1)I am having an issue withTomcat running out of threads it seems:
ps -dfm | grep tomc
tomcat 16983 1 0 Apr23 ? 00:01:39 /usr/java/bin/java
-Xmx2000m -Djava.awt.headless=true
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties
-Djava.endorsed.dirs=/opt/tomcat/endorsed -classpath
:/opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/commons-logging-api.jar
-Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat
-Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap
start
tomcat - - 0 Apr23 - 00:00:14 -
tomcat - - 0 Apr23 - 00:00:00 -
tomcat - - 0 Apr23 - 00:00:00 -
tomcat - - 0 Apr23 - 00:00:00 -
tomcat - - 0 Apr23 - 00:00:00 -
tomcat - - 0 Apr23 - 00:00:03 -
tomcat - - 0 Apr23 - 00:00:00 -
tomcat - - 0 Apr23 - 00:00:00 -
tomcat - - 0 Apr23 - 00:00:00 -
tomcat - - 0 Apr23 - 00:00:00 -
tomcat - - 0 Apr23 - 00:00:23 -
...
70 hreads and up
2)It looks like tomcat is not closing idle connections. I read there are
2 parameters that I can tweak idle connection time out with. I think
its "connectionTimeout" and "connection_pool_timeout".
I know where to set "connectionTimeout" it's my server.xml, but not sure
about not sure about "connection_pool_timeout". What's the difference
between these 2 parameters?
Snippet from my server.xml file:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
maxThreads="140"
minSpareThreads="4"
maxSpareThreads="10"
tcpNoDelay="true"
enableLookups="false"
redirectPort="8443" />
Thank a million
PAVEL PRAGIN
ppragin@solutionset.com <ma...@solutionset.com>
T > 650.328.3900
M > 650.521.4377
F > 650.328.3901
SolutionSet
The Brand Technology Company
http://www.SolutionSet.com <http://www.solutionset.com/>
PA > 131 Lytton Ave., Palo Alto, CA 94301
SF > 85 Second St., San Francisco, CA 94105
Re: hackers sending long URLs to probe site?
Posted by DIGLLOYD INC <di...@diglloyd.com>.
It's certainly something nefarious...one of my paths contains
"diglloyd/free", and I see URLs containing 100 or 200 of that string
repeated...
On Apr 30, 2008, at 1:58 PM, David Delbecq wrote:
> DIGLLOYD INC a écrit :
>> Christopher,
>>
>> Thank you. This is helpful. Sorry about the "hijacked thread", I
>> didn't think of that.
>>
>> Yes, I've double-checked that my site isn't generating the bad
>> links. It's all static HTML and I've searched for any duplications,
>> "../../" type things, etc. I don't currently generate any URLs, and
>> the sheer length of the duplication rules out any basic mistakes in
>> static html.
>>
>> I have directory indexes turned off, confirmed by seeing 404 codes
>> on certain directories in which I don't have index files
>> (intentionally).
>>
>> Lloyd
> A bit late to respond, but it might also be a worm infected computer
> trying to probe your server to check if it can be used as an attack
> vector. However, am more used to worms checking for urls containing
> cmd.exe, which probes for security holes in IIS.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: hackers sending long URLs to probe site?
Posted by David Delbecq <de...@oma.be>.
DIGLLOYD INC a écrit :
> Christopher,
>
> Thank you. This is helpful. Sorry about the "hijacked thread", I
> didn't think of that.
>
> Yes, I've double-checked that my site isn't generating the bad links.
> It's all static HTML and I've searched for any duplications, "../../"
> type things, etc. I don't currently generate any URLs, and the sheer
> length of the duplication rules out any basic mistakes in static html.
>
> I have directory indexes turned off, confirmed by seeing 404 codes on
> certain directories in which I don't have index files (intentionally).
>
> Lloyd
A bit late to respond, but it might also be a worm infected computer
trying to probe your server to check if it can be used as an attack
vector. However, am more used to worms checking for urls containing
cmd.exe, which probes for security holes in IIS.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: hackers sending long URLs to probe site?
Posted by DIGLLOYD INC <di...@diglloyd.com>.
Christopher,
Thank you. This is helpful. Sorry about the "hijacked thread", I
didn't think of that.
Yes, I've double-checked that my site isn't generating the bad links.
It's all static HTML and I've searched for any duplications, "../../"
type things, etc. I don't currently generate any URLs, and the sheer
length of the duplication rules out any basic mistakes in static html.
I have directory indexes turned off, confirmed by seeing 404 codes on
certain directories in which I don't have index files (intentionally).
Lloyd
On Apr 24, 2008, at 10:12 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lloyd,
>
> For future reference, please don't "hijack" a thread. You replied to
> another message on the list to ask this one. In the future, please
> create a brand new message.
>
> DIGLLOYD INC wrote:
> | But I see tons of 404 errors, with someone/thing from 62.42.21.210
> | (ono.com) doing:
> |
> | http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
> |
> http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
>
>
> Are you sure this isn't a problem with your own site accidentally
> generating URLs that are double- or triple-length? You should record
> the
> "referer" (sic) header to see where the links are coming from. If
> they're coming from your site, you might want to check your own
> software.
>
> | I also see illegal requests like this from several sites:
> |
> | /diglloyd/blog-images/?S=A
>
> That looks like a URL generated by Apache httpd's "index" feature.
> I've
> never used Tomcat's DefaultServlet to serve directory indexes (so I'm
> not sure if it uses the same URL syntax for file sorting, etc.), but
> is
> it possible that you are serving directory indexes from Tomcat? If so,
> then this looks like a legitimate request.
>
> | Is there a weakness in Tomcat being probed here?
>
> Perhaps. But I don't believe there are any known weaknesses around
> this
> part of the code. I wouldn't worry about it.
>
> | What is the best way to block such things?
>
> You could write a filter that checks for certain URL patterns and
> replies with a 403 (Forbidden) response code.
>
> | Ignore them since they just return 404 error anyway?
>
> That's what I would do.
>
> | Write a filter to insert a long delay for blatantly wrong requests?
>
> Definitely don't do that -- you'd be creating a DOS vector. :(
>
> | I'm not sure if that ono.com represents a single user or an entire
> ISP,
> | so I'm loathe to block it entirely.
>
> Lessee...
>
> $ nslookup 62.42.21.210
> Server: 192.168.1.40
> Address: 192.168.1.40#53
>
> Non-authoritative answer:
> 210.21.42.62.in-addr.arpa name = 62.42.21.210.dyn.user.ono.com.
>
> Authoritative answers can be found from:
> 21.42.62.in-addr.arpa nameserver = dns03.ono.com.
> 21.42.62.in-addr.arpa nameserver = dns01.ono.com.
> 21.42.62.in-addr.arpa nameserver = dns02.ono.com.
>
> Looks like an ISP. You are probably being visited (or scanned?) by
> someone within their network. They probably own a whole class B
> network
> or more, so you would go crazy blocking IPs individually.
>
> I would just ignore them unless they start to be a significant portion
> of your traffic.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkgQv5cACgkQ9CaO5/Lv0PB2bQCeJaqttVqSc99fiZpVJi1sH1i6
> r9gAn33e0h7kK10/IhMmIrwsJ3C4GSfn
> =xv8f
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: hackers sending long URLs to probe site?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lloyd,
For future reference, please don't "hijack" a thread. You replied to
another message on the list to ask this one. In the future, please
create a brand new message.
DIGLLOYD INC wrote:
| But I see tons of 404 errors, with someone/thing from 62.42.21.210
| (ono.com) doing:
|
| http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
|
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
Are you sure this isn't a problem with your own site accidentally
generating URLs that are double- or triple-length? You should record the
"referer" (sic) header to see where the links are coming from. If
they're coming from your site, you might want to check your own software.
| I also see illegal requests like this from several sites:
|
| /diglloyd/blog-images/?S=A
That looks like a URL generated by Apache httpd's "index" feature. I've
never used Tomcat's DefaultServlet to serve directory indexes (so I'm
not sure if it uses the same URL syntax for file sorting, etc.), but is
it possible that you are serving directory indexes from Tomcat? If so,
then this looks like a legitimate request.
| Is there a weakness in Tomcat being probed here?
Perhaps. But I don't believe there are any known weaknesses around this
part of the code. I wouldn't worry about it.
| What is the best way to block such things?
You could write a filter that checks for certain URL patterns and
replies with a 403 (Forbidden) response code.
| Ignore them since they just return 404 error anyway?
That's what I would do.
| Write a filter to insert a long delay for blatantly wrong requests?
Definitely don't do that -- you'd be creating a DOS vector. :(
| I'm not sure if that ono.com represents a single user or an entire ISP,
| so I'm loathe to block it entirely.
Lessee...
$ nslookup 62.42.21.210
Server: 192.168.1.40
Address: 192.168.1.40#53
Non-authoritative answer:
210.21.42.62.in-addr.arpa name = 62.42.21.210.dyn.user.ono.com.
Authoritative answers can be found from:
21.42.62.in-addr.arpa nameserver = dns03.ono.com.
21.42.62.in-addr.arpa nameserver = dns01.ono.com.
21.42.62.in-addr.arpa nameserver = dns02.ono.com.
Looks like an ISP. You are probably being visited (or scanned?) by
someone within their network. They probably own a whole class B network
or more, so you would go crazy blocking IPs individually.
I would just ignore them unless they start to be a significant portion
of your traffic.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgQv5cACgkQ9CaO5/Lv0PB2bQCeJaqttVqSc99fiZpVJi1sH1i6
r9gAn33e0h7kK10/IhMmIrwsJ3C4GSfn
=xv8f
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
hackers sending long URLs to probe site?
Posted by DIGLLOYD INC <di...@diglloyd.com>.
I've have to use a "deny" in a RemoteAddrValve to solve the following
problem--
A normal URL for my site might be:
http://diglloyd.com/diglloyd/free/Eagles/Eagles.html
eg /diglloyd/free/Eagles/Eagles.html
(check it out if you want to see some unusual eagle photos)
But I see tons of 404 errors, with someone/thing from 62.42.21.210
(ono.com) doing:
http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
... ad nauseum...
Similar illegal variants are sent for all the other URLs on my site.
I also see illegal requests like this from several sites:
/diglloyd/blog-images/?S=A
Is there a weakness in Tomcat being probed here?
What is the best way to block such things? Ignore them since they just
return 404 error anyway? Write a filter to insert a long delay for
blatantly wrong requests?
I'm not sure if that ono.com represents a single user or an entire
ISP, so I'm loathe to block it entirely.
Lloyd
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: need help with "connectionTimeout" and "connection_pool_timeout"
Posted by Rainer Jung <ra...@kippdata.de>.
Hello Pavel,
Pavel Pragin wrote:
> 1)I am having an issue withTomcat running out of threads it seems:
OS? Versions?
> ps -dfm | grep tomc
>
> tomcat 16983 1 0 Apr23 ? 00:01:39 /usr/java/bin/java
> -Xmx2000m -Djava.awt.headless=true
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties
> -Djava.endorsed.dirs=/opt/tomcat/endorsed -classpath
> :/opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/commons-logging-api.jar
> -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat
> -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap
> start
>
> tomcat - - 0 Apr23 - 00:00:14 -
>
> tomcat - - 0 Apr23 - 00:00:00 -
>
> tomcat - - 0 Apr23 - 00:00:00 -
>
> tomcat - - 0 Apr23 - 00:00:00 -
>
> tomcat - - 0 Apr23 - 00:00:00 -
>
> tomcat - - 0 Apr23 - 00:00:03 -
>
> tomcat - - 0 Apr23 - 00:00:00 -
>
> tomcat - - 0 Apr23 - 00:00:00 -
>
> tomcat - - 0 Apr23 - 00:00:00 -
>
> tomcat - - 0 Apr23 - 00:00:00 -
>
> tomcat - - 0 Apr23 - 00:00:23 -
>
> ...
>
> 70 hreads and up
70 threads is not much. There should in general be no problem with such
low numbers. If you really need them is another question ;)
> 2)It looks like tomcat is not closing idle connections. I read there are
> 2 parameters that I can tweak idle connection time out with. I think
> its "connectionTimeout" and "connection_pool_timeout".
> I know where to set "connectionTimeout" it's my server.xml, but not sure
> about not sure about "connection_pool_timeout". What's the difference
> between these 2 parameters?
connectionTimeout is the Tomcat side and applies to Tomcat's connectors.
connection_pool_timeout is only used, in case you front your tomcat with
a web server as a reverse proxy *and* you connect the web server and
Tomcat with mod_jk (httpd) or the isapi or nsapi plugin derived from
mod_jk using the AJP protocol (not: http). In this case you can set
connection_pool_timeout in the mod_jk configuration of the web server
(usually workers.properties).
> Snippet from my server.xml file:
>
> <Connector port="8080" protocol="HTTP/1.1"
>
> connectionTimeout="20000"
>
> maxThreads="140"
>
> minSpareThreads="4"
>
> maxSpareThreads="10"
>
> tcpNoDelay="true"
>
> enableLookups="false"
>
> redirectPort="8443" />
So this is an http connector, unrelated to mod_jk and thus unrelated to
connection_pool_timeout.
If you really think, that you need less threads than 70, take a thread
dump of the Tomcat JVM (kill -QUIT). It will got to catalina.out and
tell you, what those threads are doing/waiting for.
> Thank a million
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org