Re: Apache Requests

[Aman Raheja <araheja () techquotes com>]

You seem to thinking right, that someone is DoSing your server.
As you mentioned it is max'ing your connections, you are indeed suffering.
Did you try to resolve back and see where is this IP from? Not that it 
can not be spoofed, usually people use other networks for DDoS attacks - 
in that case you should disable that network's access to your server in 
the firewall and also try to contact the network owner and if the IP is 
spoofed, you might want to look at setting up a rule in an IDS on the 
network with a threshold of max connections and dropping requests, it 
they are multple from a certail source IP or network in a short time 
period. Also try to analyze the max connections, clients etc your apache 
settings are allowing - if it is too low to start with, you might be 
able to get around, if, in that case, your server resources can handle.
HTH
- Aman Raheja
http://www.techquotes.com



frank.temi () gmail com wrote:

> Hi there, since last Thursday my site has been getting some wierd homepage requests and I hope someone could help me 
> understand what is happening for it is almost like a DOS since it is causing major issues.
>
> I have a load balancer that balances the load between 3 servers.  Each of the servers run mod perl and apache.  
>
> Here are the logs:
>
> 24.A.A.A - - [04/Jul/2005:01:15:17 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
> SV1; .NET CLR 1.1.4322; Hotbar 4.6.1)"
> 24.A.A.A - - [04/Jul/2005:01:15:17 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
> SV1; .NET CLR 1.1.4322; Hotbar 4.6.1)"
> 24.A.A.A - - [04/Jul/2005:01:15:17] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
> SV1)"
> 24.B.B.B - - [04/Jul/2005:01:15:47 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
> SV1)"
> 24.B.B.B - - [04/Jul/2005:01:15:47 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
> SV1)"
> 24.B.B.B - - [04/Jul/2005:01:15:48 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
> SV1)"
> 207.C.C.C - - [04/Jul/2005:01:15:49 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
> 5.1)"
> 207.C.C.C - - [04/Jul/2005:01:15:49 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
> 5.1)"
> 207.C.C.C - - [04/Jul/2005:01:15:49 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
> 5.1)"
> 207.C.C.C - - [04/Jul/2005:01:15:49 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
> 5.1)"
> 207.C.C.C - - [04/Jul/2005:01:15:49 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
> 5.1)"
> 24.D.D.D - - [04/Jul/2005:01:15:51 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
> SV1)"
> 24.D.D.D - - [04/Jul/2005:01:15:51 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
> SV1)"
> 24.D.D.D - - [04/Jul/2005:01:15:51 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
> SV1)"
> 24.D.D.D - - [04/Jul/2005:01:15:51 -0600] "GET / HTTP/1.1" 200 24920 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
> 5.1;
>
> As you can see there are 4 different people calling the homepage however each request is not done just once but 
> multiple times at the same exact time.  The page uses a database and connections are getting maxed out.
>
> Does anyone recognize this issue at all?  Should I be concerned with it?
>
>
> Thanks a lot
>