nanog mailing list archives
Re: Pattern matching odd HTTP request
From: "Karsten W. Rohrbach" <karsten () rohrbach de>
Date: Wed, 19 Sep 2001 01:51:30 +0200
Bill McGonigle(mcgonigle () medicalmedia com)@2001.09.18 18:58:42 +0000:
On Tuesday, September 18, 2001, at 06:30 PM, Jake Khuon wrote:You start to suspect a DDOS port-flood attack. It's certainly causing me to spawn a lot of httpds and occupying a lot of ports.
[...]
On Apache 1.3, this brings the number of httpd processes up to MaxClients, then each one waits 300 seconds (the default timeout) for the connections to time out, at which point the other connections are made, and the cycle continues. A DDOS of this nature would be particularly nasty. One client (happened to be on localhost) tied up the server for 6 minutes this way with the default Apache config.
indeed, that's nasty. the quick fix action would be setting Timeout 5 in the httpd.conf, but this won't really fix the problem and make the objects inaccessible for users with high latency links. source ip based connection rate limiting would perhaps solve the problem. are there any modules available out there to accomplish this task?
Here's what the logfile for these attempts looks like: 127.0.0.1 - - [18/Sep/2001:18:43:06 -0400] "-" 408 - Doh!
yup, i see them from time to time in some of my servers' logs, but not at that rate jake reported. i cc'ed brian from the apache project, perhaps they got some solution for this... /k --
CS Students do it in the pool.
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch () spam de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
Attachment:
_bin
Description:
Current thread:
- Pattern matching odd HTTP request Jake Khuon (Sep 18)
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 18)
- Re: Pattern matching odd HTTP request mike (Sep 18)
- Re: Pattern matching odd HTTP request Jake Khuon (Sep 18)
- Re: Pattern matching odd HTTP request Karsten W. Rohrbach (Sep 18)
- Re: Pattern matching odd HTTP request Jake Khuon (Sep 18)
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 18)
- Re: Pattern matching odd HTTP request Karsten W. Rohrbach (Sep 18)
- Message not available
- Re: Pattern matching odd HTTP request Karsten W. Rohrbach (Sep 19)
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 20)
- Message not available
- Re: Pattern matching odd HTTP request Karsten W. Rohrbach (Sep 20)
- Re: Pattern matching odd HTTP request Dominic J. Eidson (Sep 20)
- Re: Pattern matching odd HTTP request mike (Sep 18)
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 18)
- Re: Pattern matching odd HTTP request E.B. Dreger (Sep 18)
- <Possible follow-ups>
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 20)