Re: Possible Apache Denial of Service Attack

[Ben Hyde <bh...@gensym.com>]

> Basically, the method is to spawn many clients that simply
> connect and do nothing else.

Looking at netstat to sense if a single or a just a few hosts are the source is
always good.  If not, then I've seen this problem arise from a plumbing problem
in the server site.

Blocking on output is a tangle.  I'm amused that I was thinking about just this
kind of attack the day before your note because my testing harness was attacking
my test server in just this way.  In that case the testing harness was trying to
be sure that the block on write was pushing back thru the chain of processes so
that none of them were buffering to hide it, or failing to wake up when it
cleared out.

I've seen senarios where one part of the plumbing in a distributed system will
be using non-blocking I/O, and then it neglects to put the output channels into
it's select bits when then block.  This bug can go unnoticed for a long time if
the process happens to wake up and poll all it's channels to kind a push things
along.  Then one day some proffesionally inclined dude raises the time out on
the select and then much later a high load comes along and channels start to
block forever, one after another, until everything grinds to halt.

Like I say blocking is a tangle.  If a region of the net (say ISP X's firewall)
starts clogging then you can get a whole slew of connections blocking.  It's
an interesting challenge to diagnosis what region of a big distributed system
is the source of today's plumbing problem.  I recomend blaming it on the
outside vendors first, then on evil hackers.

  - ben
---
"People ask about my drinking, but never about my thirst."