You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Vincenzo Gianferrari Pini <vi...@praxis.it> on 2003/02/11 12:26:44 UTC
DNS attack?
Tonight my James server wrote 222 times in 7 seconds, from 04:25:16 to
04:25:23, the following message to the connections.log file (this log file
is otherwise always empty):
11/02/03 04:25:16 ERROR connections: Exception executing client connection
runner: Could not create enough Components to service your request.
java.lang.Exception: Could not create enough Components to service your
request.
at org.apache.avalon.excalibur.pool.DefaultPool.get(DefaultPool.java:133)
at
org.apache.james.util.connection.ServerConnection.addClientConnectionRunner(
ServerConnection.java:213)
at
org.apache.james.util.connection.ServerConnection.run(ServerConnection.java:
297)
at
org.apache.avalon.excalibur.thread.impl.ExecutableRunnable.execute(Executabl
eRunnable.java:47)
at
org.apache.avalon.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:8
0)
During exactly the same time there were the following entries written to the
smtpserver.log file (linuxserv on 10.10.10.22 is our firewall server; all
connections from outside the company come always thru it):
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:18 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:18 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:18 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:20 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:20 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:20 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:20 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:21 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:21 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:22 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:22 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:22 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:23 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:23 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:23 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:23 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:24 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:24 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:24 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:25 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:25 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:25 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:25 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:25 ERROR smtpserver: AUTH method LOGIN failed
There was no other entry in the other logfiles during the same period.
For completeness of information, yesterday I had changed the
<connections>
<idle-timeout>300000</idle-timeout>
<max-connections>30</max-connections>
</connections>
to
<connections>
<idle-timeout>300000</idle-timeout>
<max-connections>0</max-connections>
</connections>
just as an experiment.
What do you think about all this?
Looks like an attack, isn't it?
Couldn't it be a kind of denial of service attack that, if done during
normal hours, could stress the system? In such case what could be done to
avoid such damage?
Regards,
Vincenzo
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: DNS attack?
Posted by "Noel J. Bergman" <no...@devtech.com>.
There are different resources: database connections, socket connections,
threads, etc.
What does torque have to do with anything? config.xml defines the various
limits. For example, the <data-source> element has a <max> child element
defining JDBC connection limits. The Connection Manager block has a
max-connections element. The Thread Manager has a max-threads element.
--- Noel
-----Original Message-----
From: yd [mailto:ydl.narval@wanadoo.fr]
Sent: Tuesday, February 11, 2003 11:32
To: James Users List
Subject: Re: DNS attack?
First thank for your help.
I think it's a denial-of-service attack.
I kept the original distribution settings, but i'm the only one who use this
application and surprise that it's reject additional connections in one case
and not in the other.
For increasing or decreasing the connections/threads ,is it in the
torque.properties and
torque.dsfactory.DB.pool.defaultMaxConnections?
Yann
----- Original Message -----
From: "Noel J. Bergman" <no...@devtech.com>
To: "James Users List" <ja...@jakarta.apache.org>
Sent: Tuesday, February 11, 2003 5:04 PM
Subject: RE: DNS attack?
> > My point is: was it some kind of attack? Was it a denial-of-service
> attack?
>
> No idea.
>
> > In the latter case, to avoid service disruption, would it be better to
> > increase or decrease the connections/threads etc?
>
> If you had kept the original distribution settings, James would have
simply
> rejected additional connections, rather than exhaust the thread pool.
>
> For James v3, there will likely be support to limit the # of simultaneous
> connections from a single IP (or perhaps from a network).
>
> --- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
Re: DNS attack?
Posted by yd <yd...@wanadoo.fr>.
First thank for your help.
I think it's a denial-of-service attack.
I kept the original distribution settings, but i'm the only one who use this
application and surprise that it's reject additional connections in one case
and not in the other.
For increasing or decreasing the connections/threads ,is it in the
torque.properties and
torque.dsfactory.DB.pool.defaultMaxConnections?
Yann
----- Original Message -----
From: "Noel J. Bergman" <no...@devtech.com>
To: "James Users List" <ja...@jakarta.apache.org>
Sent: Tuesday, February 11, 2003 5:04 PM
Subject: RE: DNS attack?
> > My point is: was it some kind of attack? Was it a denial-of-service
> attack?
>
> No idea.
>
> > In the latter case, to avoid service disruption, would it be better to
> > increase or decrease the connections/threads etc?
>
> If you had kept the original distribution settings, James would have
simply
> rejected additional connections, rather than exhaust the thread pool.
>
> For James v3, there will likely be support to limit the # of simultaneous
> connections from a single IP (or perhaps from a network).
>
> --- Noel
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: james-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: DNS attack?
Posted by "Noel J. Bergman" <no...@devtech.com>.
> My point is: was it some kind of attack? Was it a denial-of-service
attack?
No idea.
> In the latter case, to avoid service disruption, would it be better to
> increase or decrease the connections/threads etc?
If you had kept the original distribution settings, James would have simply
rejected additional connections, rather than exhaust the thread pool.
For James v3, there will likely be support to limit the # of simultaneous
connections from a single IP (or perhaps from a network).
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: DNS attack?
Posted by Vincenzo Gianferrari Pini <vi...@praxis.it>.
> You allowed infinite connections, but there are other resources, such as
> threads, that you did not change. It appears that your threadpool was
> exhausted.
>
> --- Noel
>
I suspected that, in fact i should (and will) limit back such number of
connections.
My point is: was it some kind of attack? Was it a denial-of-service attack?
In the latter case, to avoid service disruption, would it be better to
increase or decrease the connections/threads etc?
More generally, has anyone in the James comunity been thinking about the
problem of being attacked by a very high number of requests? Or even has
been attacked?
Perhaps there could exist some auto-protection inside James, for example not
allowing more than a certain number of *open* connections/allocated threads,
or more than a certain number of connections/allocated threads
*per-unit-of-time* to the same IP.
Vincenzo
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: DNS attack?
Posted by "Noel J. Bergman" <no...@devtech.com>.
You allowed infinite connections, but there are other resources, such as
threads, that you did not change. It appears that your threadpool was
exhausted.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org